Re: PCI compliance on a university network

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Tue, 22 Dec 2009 11:58:01 EST, Scott Sweren said:
> PCI had always instructed that the auditor needed to be comfortable that
> segmentation was really in place.  While it may be, if the company could
> not adequately demonstrate that, then the auditor could state so in the
> report.  Demonstration is through providing the ACL lists, showing
> reviews and approvals were done as required, etc.

What a wimpy demonstration. :)

Maybe I watch too much Mythbusters, but where I come from, if somebody says
some glass is bulletproof, it's time to haul a few samples to the range
and point various calibers at it.  Seems if somebody claims segmentation is
there, it's time to break out some high-caliber packet generators and
verify the ACLs the dastardly way. ;)

(Oh no, the firewall would *never* accept a forged packet on the exterior
side with source and dest addresses both inside, right?  Right? ;)

On Dec 22, 2009, at 10:37 AM, Joel Rosenblatt wrote:
> Again, this is the difference between real security and checklist security :-)

Hmm.. is that why the checklist people always claim I don't play nice with
others? :)

Happy Holidays, everybody!

Attachment: _bin
Description: