Testing Procedure | How Sheriff CSM Delivers | Sheriff CSM Instructions | Sheriff CSM Documentation* |
1.1.1.c Identify a sample of actual changes made to firewall and router configurations, compare to the change records, and interview responsible personnel to verify the changes were approved and tested. | Sheriff CSM has built-in reports to assist in identifying changes made to router and firewall configurations for use in validating that changes were approved and tested. | Enable the plugin for your firewall/router devices, and enable forwarding of the syslog events from the firewall/router. | Enable Plugins |
Run the existing “Firewall Configuration Change” PCI report to show changes made to the firewall. | How to Run Reports | ||
Additionally, you can enable instant alerting of suspected device configuration changes by creating a directive to Alert on occurrences of the configuration-change events. | Tutorial: Create a New Directive to Detect DoS Attack | ||
1.1.6.b Identify insecure services, protocols, and ports allowed; and verify that security features are documented for each service. | Sheriff CSM provides NetFlow collection, which assists in identifying insecure services, protocols and ports that are allowed. | NIDS in Sheriff CSM allows for reporting of suspicious or potentially insecure protocols through events. | Sheriff NIDS |
Create a directive to Alert on occurrences of such NIDS events, which may detect possible misconfiguration or traffic that is not authorized. | Tutorial: Create a New Directive to Detect DoS Attack | ||
1.3.2 Examine firewall and router configurations to verify that inbound Internet traffic is limited to IP addresses within the DMZ. | Sheriff CSM provides NetFlow collection, which assists in identifying traffic sources and destinations to help ensure that inbound internet traffic is limited to IP addresses within the DMZ. | Configure a directive to Alert on any activity from non-authorized networks to the DMZ, which allows for immediate alerting of suspicious traffic from any data source. | Correlation Directives |