Full Disclosure: Re: Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins () arbor net>]

On May 10, 2011, at 1:40 PM, Tracy Reed wrote:

> If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a
> reply packet to an existing inbound connection or if it is an unauthorized outbound connection?

You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known 
ports to ephemeral high ports.  This is a basic network access policy Best Current Practice (BCP).  'Client-side' 
traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely 
different NIC on a completely different, isolated segment with proxies and so forth.  And all management access should 
take place via an OOB/DCN management network, on yet another NIC/segment.

And mod_security will pass PCI DSS audits just fine.

As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others.  
It should be re-factored to an outcomes-based model, IMHO.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/