Re: Using linux firewalls for PCI compliant infrastructure

[Siim Põder <siim () p6drad-teel net>]

Hi

Tracy Reed wrote:
> I am. For PCI. No problem. Did the people who suggested something
> commercial provide any good quantifiable reasons or was it simply
> cargo-cult network security?

IMO, mostly the latter (the cargo cult one):
1) Commercial vendors are sometimes certified to be secure
2) Lot's of people are using commercial firewalls for critical
infrastructure and hence they are better tested
3) Commercial vendor can be pushed to produce patches for problems

We currently have iptables on central firewalls and mod_security doing
application level filtering on webservers themselves. It was suggested
that a firewall doing SSL termination and content inspection would be
better because it would have better application-level rulesets
(namely, protection from common DOS bots was mentioned).

Generally, I dont think they make a very good case. However, I
promised to ask if there are any other shops using open source
firewalls out there. Maybe they are just worried to be on the boat
alone :)

Thanks for your comments!

Siim
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards