0
Back to scan results
Check 6 of 24

Firewall Rules (Inferred)

We can't see your firewall config from outside, but we can reason about it. If a database port responds, your perimeter firewall is either absent or misconfigured. This check rolls those signals into a single PCI Requirement 1 verdict.

What this check probes

This check is a roll-up of Check 5 with a different lens. We separate ports into three buckets:

  • Expected public — 80 (HTTP), 443 (HTTPS). These should respond on a web server.
  • Conditional — 22 (SSH), 25/465/587 (mail), 53 (DNS). These have legitimate use cases but only on specific server roles. SSH from anywhere usually fails a PCI assessor's review.
  • Should never be public — databases, RDP, VNC, Memcached, Redis, MongoDB, Elasticsearch. A response here is a near-certain Requirement 1 finding.

If everything in the third bucket is closed and the second bucket only has services you'd expect, the check passes. The actual port-by-port detail is in Check 5.

Why this matters for PCI DSS

PCI DSS 4.0 Requirement 1 ("Install and maintain network security controls") is the longest section of the standard. The headline rules:

  • 1.2.1 — configuration standards exist and are reviewed every six months.
  • 1.3.1 — inbound traffic to the cardholder data environment is restricted to that which is necessary.
  • 1.4.1 — NSCs are implemented between trusted and untrusted networks.
  • 1.4.2 — inbound traffic from untrusted networks to trusted is restricted.
  • 1.4.4 — system components storing cardholder data are not directly accessible from untrusted networks.

The recurring theme: default deny, explicit allow, document everything.

How to fix it

Adopt a default-deny posture at every layer:

  • Cloud network ACLs / security groups — start with no inbound rules, add only the specific port and source CIDR you need.
  • Host firewall (ufw / iptables / Windows Firewall) — same default-deny, second line of defense in case the cloud firewall is misconfigured.
  • Service binding — bind databases and admin services to 127.0.0.1 or a private subnet IP, never 0.0.0.0.
  • Bastion / VPN for admin — SSH, RDP, database admin GUIs reach the server through a single hardened jump host with MFA, never directly from a workstation.

Document the config — PCI requires a written rule justification. A simple table works: port, protocol, source, destination, business reason, owner, last reviewed. This is what an assessor will ask for.

Re-review every six months and after any architecture change.

Fixed it? Re-run the scan to confirm.

Run scan again