Home page logo

basics logo Security Basics mailing list archives

RE: Firewalls and PCI
From: <Anthony_Cicalla () McAfee com>
Date: Tue, 18 Nov 2008 10:12:59 -0800

If you simply did proper input validation in your application you would be
able to make your systems secure without the web application firewall. We
certify people pci compliant that do not have web application firewalls all
of the time. Do a proper code review of your web application and make sure
all data even if it doesn't come from the end user is validated.  If you
have a product id number, don't accept anything accept 0-9 it's really that
simple. Sql injection is a vulnerability in the coding of your web
application fix the source of the problem instead of using a band aid
provided by some other company. If you need to know how to test your web
application go to www.owasp.com and look at their methodology. They even
show you examples of how to test for each vuln in their methodology.


Anthony Cicalla,


Research Scientist


McAfee, Inc.
535 Oakmead Pkwy
Sunnyvale, CA 94085

408.992.8300 Main
408.992.8441 Direct
408.720.8450 Fax
925-262-7565 Cell

Anthony_Cicalla () mcafee com


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Jason Alexander
Sent: Wednesday, January 16, 2008 8:04 AM
To: David Glosser; security-basics () securityfocus com
Subject: RE: Firewalls and PCI

(PS - can anyone explain in english the difference between an  application
firewall and an IPS device?)

I'm actually trying to decipher the differences too. Most IPS devices now do
deep packet, layer seven inspection and do web centric prevention. The 2 web
issues that would cause you to fail PCI compliance would be sql injection
and XSS. These are normally well covered in most modern IPS solutions.
However, PCI 1.1 does refer to them individually. Also Juniper have a
http://www.juniper.net/solutions/literature/solutionbriefs/351278.pdf that
states that only their DX web accelerators would satisfy 6.6 on PCI and not
their IPS solutions.

Im still looking into it....

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of David Glosser
Sent: 16 January 2008 00:03
To: security-basics () securityfocus com
Subject: Re: Firewalls and PCI

I'll let others answer the firewall question, but here are other points to
ponder (I know a lot of this is outside of the area of network design,
apologies in advance if someone else is covering this)

- Don't forget about the backup or "management"
network. You can have lots of firewalls, but if the segments are connected
on the back-end for backups or management, then what's the point ;)
- Add Intrusion Protection (or at least detection) in your network design
- Add application firewalls to your design (which can be as simple as apache
with ModSecurity or a more
expensive appliance).   An application firewall may be
required anyway in the next major PCI
 compliance revision.
- Management of different devices can add overhead, but some people like a
"defense in depth" approach.
Consider a different model of firewall for your perimiter than the others.
Consider two different models of IDS/IPS devices. 
- Are you are required to do "encryption" of data at rest, as well as
encryption of backup tapes? 
- consider one of those unified log aggregators
- consider tripwire of an Host-IDS
- consider a 24x7 monitoring service. 
- Is there a data-breach plan in place in case the credit card info gets
- is someone running regular internal and external vulnerability scans?


 (PS - can anyone explain in english the difference between an  application
firewall and an IPS device?)

--- Josh Haft <pacmansyu () gmail com> wrote:

Hello all,

Please consider the following scenario with respect to a) PCI 
compliance, b) best practice, and c) your own personal 

Have been requested by a client to implement separate, physical 
firewalls between our various networks. Currently, we have one 
physical firewall with interfaces to a public network (after a quick 
pass through a router), a LAN, a DMZ, and another network which houses 
our database servers. These are all on separate networks, and run 
through separate physical switches.

The client wants another physical firewall between each subnet. The 
new configuration as I see it would have the 'main'
firewall NAT'ing
and passing traffic from the public network to the DMZ, and to two 
additional firewalls. Behind those firewalls would be a LAN and the 
separate 'database network', respectively.

In our ever-ending quest to bend over for every client, cost (within
reason) is not an issue, so disregard that aspect.
questions, and concerns as they relate to this issue would be greatly 


Attachment: smime.p7s

  By Date           By Thread  

Current thread:
  • RE: Firewalls and PCI Anthony_Cicalla (Nov 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]