Security Basics mailing list archives
Re: Firewalls and PCI
From: David Glosser <david_glosser () yahoo com>
Date: Tue, 15 Jan 2008 16:02:54 -0800 (PST)
I'll let others answer the firewall question, but here are other points to ponder (I know a lot of this is outside of the area of network design, apologies in advance if someone else is covering this) - Don't forget about the backup or "management" network. You can have lots of firewalls, but if the segments are connected on the back-end for backups or management, then what's the point ;) - Add Intrusion Protection (or at least detection) in your network design - Add application firewalls to your design (which can be as simple as apache with ModSecurity or a more expensive appliance). An application firewall may be required anyway in the next major PCI compliance revision. - Management of different devices can add overhead, but some people like a "defense in depth" approach. Consider a different model of firewall for your perimiter than the others. Consider two different models of IDS/IPS devices. - Are you are required to do "encryption" of data at rest, as well as encryption of backup tapes? - consider one of those unified log aggregators - consider tripwire of an Host-IDS - consider a 24x7 monitoring service. - Is there a data-breach plan in place in case the credit card info gets out? - is someone running regular internal and external vulnerability scans? DG (PS - can anyone explain in english the difference between an application firewall and an IPS device?) --- Josh Haft <pacmansyu () gmail com> wrote:
Hello all, Please consider the following scenario with respect to a) PCI compliance, b) best practice, and c) your own personal experiences/implementations. Have been requested by a client to implement separate, physical firewalls between our various networks. Currently, we have one physical firewall with interfaces to a public network (after a quick pass through a router), a LAN, a DMZ, and another network which houses our database servers. These are all on separate networks, and run through separate physical switches. The client wants another physical firewall between each subnet. The new configuration as I see it would have the 'main' firewall NAT'ing and passing traffic from the public network to the DMZ, and to two additional firewalls. Behind those firewalls would be a LAN and the separate 'database network', respectively. In our ever-ending quest to bend over for every client, cost (within reason) is not an issue, so disregard that aspect. Comments, questions, and concerns as they relate to this issue would be greatly appreciated. Thanks! Josh
Current thread:
- Firewalls and PCI Josh Haft (Jan 15)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 16)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- <Possible follow-ups>
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- RE: Firewalls and PCI Kevin Ortloff (Jan 18)