2

We need to be PCI compliant. PCI user VLAN is connecting to Internet via proxy, but I need confirmation about the location of the proxy.

PCI user traffic flow:

PC ==> ASA FW ==> IPS (integrated firewall) ==> proxy ==> Internet.

Is this correct? Can the traffic flow from directly proxy to Internet, or do we need to have that like below?

PC ==> ASA FW ==> IPS ==> proxy ==> firewall ==> Internet
Vilican
  • 2,703
  • 8
  • 21
  • 35
PCIrs
  • 307
  • 1
  • 3
  • 12

1 Answers1

1

The perimeter protection for your environment will likely be your firewall so that'll be the first line of defence against the outside untrusted world. Your user network will likely be in a separate VLAN to the proxy server. This VLAN separation will likely be performed by a switch or a firewall. You proxy server may be a server or an appliance.

I'd see the set up as follows:

PC => proxy => firewall => internet

AndyMac
  • 3,149
  • 12
  • 21
  • Thanks for your answers.Actually we use Fortigate as our Proxy which has a inbuilt FW. So in that case is it ok to have like below. PC => FW+IPS => Proxy Fortigate => Internet. IS it secured PCI compliant?, Please advice – PCIrs Mar 17 '15 at 04:01
  • Whether or not it's compliant depends on how you've implemented it. So long as you've hardened the device, are maintaining it with updates and signatures, have appropriate role based access control, logging, NTP etc, there's no reason it shouldn't satisfy PCI requirements. – AndyMac Mar 17 '15 at 20:43