RE: Firewalls and PCI

["Kevin Ortloff" <Kevin.Ortloff () j2global com>]

....And to go a small step further.... PCI compliance based on audits do
not even know about how many firewalls you have and their location. All
you need to prove is the firewall has multiple interfaces separating
networks through the use of access-groups and ACL's. They also require
vulnerability assessments performed quarterly and a list of authorized
users to the firewalls themselves.

Depending on your firewall ( Cisco ASA and PIX 7.x is really good with
the use of access and object groups ). Once you setup multiple
access-groups on DIFFERENT interfaces, then you effectively have
multiple firewalls. From there you only have to be concerned about
failover and cpu/memory load. ACL's and static routes (
inside/outside/dmz, etc ) will control access between the interfaces.

Another requirement is daily monitoring of an IDS. You should have one
of these. And lastly card data needs to be encrypted, not necessarily
customer info, but the card numbers do.



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Honer, Lance
Sent: Friday, January 18, 2008 8:22 AM
To: security-basics () securityfocus com
Subject: RE: Re: Firewalls and PCI


Well, PCI does not mandate or even suggest anything regarding network
segmentation. PCI says anything that could cause a card exposure must be
evaluated for compliance.

It's really up to the company in question to follow this thought process
to completion. When they do they'll realize that if the limit the scope
of things in the environment that could lead to an exposure the fewer
things in the environment that will need to be evaluated for compliance.

So in the context of network segmentation this means separating your
card data related systems from the non-card data related systems and
protecting access into the card data related systems.

Lance


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Josh Haft
Sent: Wednesday, January 16, 2008 5:35 PM
To: evilwon12 () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: Re: Firewalls and PCI

So the question remains... how do PCI regulations directly affect the
segmenting of networks, if at all?



On 16 Jan 2008 19:58:44 -0000,  <evilwon12 () yahoo com> wrote:
> The assumption of items being untrustworthy is good, however it is a
bit overboard to state that a DHCP network is more untrustworthy than
one with purely static IP addresses.
> If a bad guy has physical access to machines on, or access to your PCI
network nothing else matters.  The mission to protect data has failed.
This has nothing to do with DHCP, hard coding addresses to mac addresses
or using 802.1x (although this is much better).  In places that I have
been, people have had to badge into the building, pass a security guard
with a picture badge, and then badge into the door to get into the area
with the PCI network (segmented from other corporate networks).
> Segmenting out the network is a good thing if you are dealing with
PCI, if it is done properly.  The key with it is to properly segment it
while still ensuring business functionality.
>

 
------------------------------------------------------------------------
--
SMART Business Advisory and Consulting, LLC and SMART and Associates,
LLP have an alternative practice structure. The two companies are
separate and independent legal entities that work together to meet
clients' business needs. SMART Business Advisory and Consulting, LLC is
not a licensed CPA firm.
 
This message may contain information that is privileged, confidential
and exempt from disclosure under applicable law. If you are not the
intended recipient (or authorized to act on behalf of the intended
recipient) of this message, you may not disclose, forward, distribute,
copy, or use this message or its contents. If you have received this
communication in error, please notify us immediately by return e-mail
and delete the original message from your e-mail system.


This email, its contents and attachments contain information from j2 Global Communications, Inc. and/or its affiliates 
which may be privileged, confidential or otherwise protected from disclosure. The information is intended to be for the 
addressee(s) only.  If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this 
message is prohibited.  If you have received this email in error please notify the sender by reply e-mail and delete 
the original message and any copies.