Security Basics mailing list archives
RE: Re: Firewalls and PCI
From: "Honer, Lance" <lhoner () smartgrp com>
Date: Fri, 18 Jan 2008 16:16:03 -0500
I can't speak for other QSA's but I would have no problem with just one physical device for all segments. Grant it the safest solution is would be a separate physical device for each where it's a different make and model so that a compromise of the internet facing device would not compromise every other firewall. But this can open up a whole mess of other problems that is beyond the scope of this discussion. Who is this "client" your referring to, I'm not asking for names just for the relationship here? Lance -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Josh Haft Sent: Friday, January 18, 2008 1:14 PM To: Honer, Lance Cc: security-basics () securityfocus com Subject: Re: Re: Firewalls and PCI On Jan 18, 2008 10:21 AM, Honer, Lance <lhoner () smartgrp com> wrote:
Well, PCI does not mandate or even suggest anything regarding network segmentation. PCI says anything that could cause a card exposure must
be
evaluated for compliance. It's really up to the company in question to follow this thought
process
to completion. When they do they'll realize that if the limit the
scope
of things in the environment that could lead to an exposure the fewer things in the environment that will need to be evaluated for
compliance.
So in the context of network segmentation this means separating your card data related systems from the non-card data related systems and protecting access into the card data related systems. Lance
The section of PCI I was referring to is 1.1.3 "Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone." So, I have a firewall that separates these networks. However, it's only one physical. The client is requesting that we have our network separated by multiple physical firewalls. I can only assume the aforementioned section of PCI includes both configurations (one or multiple physical firewalls), but I am wondering how others have interpreted this. We'll probably end up adding at least one firewall and putting the LAN and database network behind it, leaving the DMZ behind only one firewall. I'm just curious how others have treated these situations. Thanks everyone for your responses. -------------------------------------------------------------------------- SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The two companies are separate and independent legal entities that work together to meet clients' business needs. SMART Business Advisory and Consulting, LLC is not a licensed CPA firm. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail system.
Current thread:
- RE: Firewalls and PCI, (continued)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- RE: Firewalls and PCI Kevin Ortloff (Jan 18)
- RE: RE: Firewalls and PCI Abimbola, Abiola (Jan 17)