RE: Re: Firewalls and PCI

["Honer, Lance" <lhoner () smartgrp com>]

I can't speak for other QSA's but I would have no problem with just one
physical device for all segments.

Grant it the safest solution is would be a separate physical device for
each where it's a different make and model so that a compromise of the
internet facing device would not compromise every other firewall. But
this can open up a whole mess of other problems that is beyond the scope
of this discussion.

Who is this "client" your referring to, I'm not asking for names just
for the relationship here?

Lance

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Josh Haft
Sent: Friday, January 18, 2008 1:14 PM
To: Honer, Lance
Cc: security-basics () securityfocus com
Subject: Re: Re: Firewalls and PCI

On Jan 18, 2008 10:21 AM, Honer, Lance <lhoner () smartgrp com> wrote:
> Well, PCI does not mandate or even suggest anything regarding network
> segmentation. PCI says anything that could cause a card exposure must
be
> evaluated for compliance.
>
> It's really up to the company in question to follow this thought
process
> to completion. When they do they'll realize that if the limit the
scope
> of things in the environment that could lead to an exposure the fewer
> things in the environment that will need to be evaluated for
compliance.
> So in the context of network segmentation this means separating your
> card data related systems from the non-card data related systems and
> protecting access into the card data related systems.
>
> Lance
The section of PCI I was referring to is 1.1.3
    "Requirements for a firewall at each Internet connection and
between any demilitarized zone (DMZ) and the internal network zone."

So, I have a firewall that separates these networks. However, it's
only one physical. The client is requesting that we have our network
separated by multiple physical firewalls. I can only assume the
aforementioned section of PCI includes both configurations (one or
multiple physical firewalls), but I am wondering how others have
interpreted this.

We'll probably end up adding at least one firewall and putting the LAN
and database network behind it, leaving the DMZ behind only one
firewall. I'm just curious how others have treated these situations.

Thanks everyone for your responses.

 
--------------------------------------------------------------------------
SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The 
two companies are separate and independent legal entities that work together to meet clients' business needs. SMART 
Business Advisory and Consulting, LLC is not a licensed CPA firm.
 
This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. 
If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you 
may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this 
communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail 
system.