Re: Firewalls and PCI

[David Glosser <david_glosser () yahoo com>]

I'll let others answer the firewall question, but here
are other points to ponder (I know a lot of this is
outside of the area of network design, apologies in
advance if someone else is covering this)

- Don't forget about the backup or "management"
network. You can have lots of firewalls, but if the
segments are connected on the back-end for backups or
management, then what's the point ;)
- Add Intrusion Protection (or at least detection) in
your network design 
- Add application firewalls to your design (which can
be as simple as apache with ModSecurity or a more
expensive appliance).   An application firewall may be
required anyway in the next major PCI
 compliance revision.
- Management of different devices can add overhead,
but some people like a "defense in depth" approach.
Consider a different model of firewall for your
perimiter than the others. Consider two different
models of IDS/IPS devices. 
- Are you are required to do "encryption" of data at
rest, as well as encryption of backup tapes? 
- consider one of those unified log aggregators
- consider tripwire of an Host-IDS 
- consider a 24x7 monitoring service. 
- Is there a data-breach plan in place in case the
credit card info gets out?
- is someone running regular internal and external
vulnerability scans?

DG

 (PS - can anyone explain in english the difference
between an
 application firewall and an IPS device?)


--- Josh Haft <pacmansyu () gmail com> wrote:

> Hello all,
>
> Please consider the following scenario with respect
> to a) PCI
> compliance, b) best practice, and c) your own
> personal
> experiences/implementations.
>
> Have been requested by a client to implement
> separate, physical
> firewalls between our various networks. Currently,
> we have one
> physical firewall with interfaces to a public
> network (after a quick
> pass through a router), a LAN, a DMZ, and another
> network which houses
> our database servers. These are all on separate
> networks, and run
> through separate physical switches.
>
> The client wants another physical firewall between
> each subnet. The
> new configuration as I see it would have the 'main'
> firewall NAT'ing
> and passing traffic from the public network to the
> DMZ, and to two
> additional firewalls. Behind those firewalls would
> be a LAN and the
> separate 'database network', respectively.
>
> In our ever-ending quest to bend over for every
> client, cost (within
> reason) is not an issue, so disregard that aspect.
> Comments,
> questions, and concerns as they relate to this issue
> would be greatly
> appreciated.
>
> Thanks!
> Josh