Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: "miedaner" <miedaner () twcny rr com>
Date: Sun, 5 Apr 2009 12:22:50 -0400
Interesting thread. The reality is that companies have not followed best practices in terms of network and internet services. Over and over in my 17 years in security people whining for the next unsafe app, protocol, etc have won out over sound security. Not to mention poor design practices that put ring 0 devices on the edge rather than in a tiered design. How many companies have the payroll and money transfer machines located so any user can touch them, both physically and logically. How many bandaids has the so called security industry come up with to compensate for poor practices. E.G. The clueless demand a PIX so we need an IDS and whatever other protocol aware device. Good design and having the balz to say no goes a long way in keeping environment simple and secure. As far as testing, some is needed but the ill informed would assume that a successful PT means you are OK. Not to mention 9 times out of 10 the testers exploit low hanging fruit - lets be real here we are dealing with the soft chewy core of M$. Add distributed offices and physical security weakneses into the mix and successful attacks, for the determined, becomes a cake walk. Also as far as PCI standards and all other regulations is, I believe, the anount of interpretation that is allowed. Try defining scope under PCI, very ambiguous. Tony Miedaner eroc emit eno -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Brian Loe Sent: Sunday, April 05, 2009 1:50 AM To: Firewall Wizards Security Mailing List Subject: Re: [fw-wiz] PCI DSS & Firewalls On Fri, Apr 3, 2009 at 3:36 PM, Paul Melson <pmelson () gmail com> wrote:
At the end of the day, offensive security (scanning, pen-testing,
auditing,
etc.) is testing. And some testing is ALWAYS better than no testing.
Show
me a company that doesn't require testing before moving a system into production and I'll show you a company that can afford lots of downtime.
And I'll show you every company I've ever worked for - including the one that's handling your prescriptions and likely the one handling your 401k. Then again, I guess it depends on what you call testing. If it means "it turns on, given expected input it returns expected output" then never mind - you're "safe". Otherwise you're living as big of a make believe world as Marcus. And as everyone knows I'm quite the realist! Then again I'm also the manager who, while trying to get an updated security program approved by the "IT Steering Committee", removed the part about certification and accreditation for new systems because, frankly, if you're our size it's stupid and overly costly. What I would VERY MUCH LIKE is a "checklist" like the first set of instructions I got for (well, it's late and I can't remember the acronym - and it's since been changed anyway - DoD crap).... I prefer a standard tell me EXACTLY what it want as a minimum and then my midldle management idiot self can busy myself doing BETTER than that standard... _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: PCI DSS & Firewalls, (continued)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Paul Melson (Apr 03)
- Re: PCI DSS & Firewalls Brian Loe (Apr 05)
- Re: PCI DSS & Firewalls miedaner (Apr 05)
- Re: PCI DSS & Firewalls Mark (Apr 06)
- Re: PCI DSS & Firewalls Brian Loe (Apr 06)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls ArkanoiD (Apr 10)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls AMuse (Apr 02)
- Re: PCI DSS & Firewalls Darden, Patrick S. (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)