RE: Firewalls and PCI

[Jason Alexander <jalexander () plus net>]

> > (PS - can anyone explain in english the difference between an  application firewall and an IPS device?)

I'm actually trying to decipher the differences too. Most IPS devices now do deep packet, layer seven inspection and do 
web centric prevention. The 2 web issues that would cause you to fail PCI compliance would be sql injection and XSS. 
These are normally well covered in most modern IPS solutions. However, PCI 1.1 does refer to them individually. Also 
Juniper have a document http://www.juniper.net/solutions/literature/solutionbriefs/351278.pdf that states that only 
their DX web accelerators would satisfy 6.6 on PCI and not their IPS solutions.


Im still looking into it....



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Glosser
Sent: 16 January 2008 00:03
To: security-basics () securityfocus com
Subject: Re: Firewalls and PCI


I'll let others answer the firewall question, but here are other points to ponder (I know a lot of this is outside of 
the area of network design, apologies in advance if someone else is covering this)

- Don't forget about the backup or "management"
network. You can have lots of firewalls, but if the segments are connected on the back-end for backups or management, 
then what's the point ;)
- Add Intrusion Protection (or at least detection) in your network design
- Add application firewalls to your design (which can be as simple as apache with ModSecurity or a more
expensive appliance).   An application firewall may be
required anyway in the next major PCI
 compliance revision.
- Management of different devices can add overhead, but some people like a "defense in depth" approach.
Consider a different model of firewall for your perimiter than the others. Consider two different models of IDS/IPS 
devices. 
- Are you are required to do "encryption" of data at rest, as well as encryption of backup tapes? 
- consider one of those unified log aggregators
- consider tripwire of an Host-IDS
- consider a 24x7 monitoring service. 
- Is there a data-breach plan in place in case the credit card info gets out?
- is someone running regular internal and external vulnerability scans?

DG

 (PS - can anyone explain in english the difference between an  application firewall and an IPS device?)


--- Josh Haft <pacmansyu () gmail com> wrote:

> Hello all,
>
> Please consider the following scenario with respect to a) PCI 
> compliance, b) best practice, and c) your own personal 
> experiences/implementations.
>
> Have been requested by a client to implement separate, physical 
> firewalls between our various networks. Currently, we have one 
> physical firewall with interfaces to a public network (after a quick 
> pass through a router), a LAN, a DMZ, and another network which houses 
> our database servers. These are all on separate networks, and run 
> through separate physical switches.
>
> The client wants another physical firewall between each subnet. The 
> new configuration as I see it would have the 'main'
> firewall NAT'ing
> and passing traffic from the public network to the DMZ, and to two 
> additional firewalls. Behind those firewalls would be a LAN and the 
> separate 'database network', respectively.
>
> In our ever-ending quest to bend over for every client, cost (within
> reason) is not an issue, so disregard that aspect.
> Comments,
> questions, and concerns as they relate to this issue would be greatly 
> appreciated.
>
> Thanks!
> Josh