Re: Using linux firewalls for PCI compliant infrastructure

[Victor Williams <vbwilliams () gmail com>]

I generally believe that is due to lack of knowledge.  If the knowledge of
the solution rests in you alone, and you quit, get hit by a truck, get swine
flu and are out of commission, etc, then they have no one to go back and get
support from other than you and whatever they can find on the iptables
website or some other Google search.  Most management want a very defined
support structure in place.

I am in the weird position of being a manager/director, but also being a
person that has to do hands-on upkeep of the systems I oversee management
and security of.  I could have rolled my own solution from the top
down...from "stateful firewall" to "application firewall" to load balancer,
etc.  I opted for all relatively well-known solutions (some retail, some
open source)because if I decided to leave the organization, they wouldn't be
stuck.

The few managers above me were generally more tuned in to spending dollars
on solutions with a commercial support structure vs spending time on a free
solution that required them to have a RHCE or other Linux guru on hand to
figure out.

That all being said, I don't see an overall difference in the quality of
products in what you're using vs others that are commercial.  There are open
source ways to do everything you need (where PCI is concerned) from the edge
all the way back to the core router/switch.  It's just a matter of risk in
my opinion.  The risk isn't really in what you're using...it's if all of
that knowledge rests in one place and could be unavailable to the rest of
the organization if one person left...at least that's what I'd be thinking
about from a management perspective.

In the organization I work in (online retailer), we've implemented a mix,
based on which product(s) were the most widely and easily supported.  DNS,
SFTP/FTPS, PKI, Firewalls, load-balancers, web, etc.  Some of them are open
source solutions, some are proprietary/retail, based on risk and knowledge
of on-hand stuff.  I don't see any of them as better/worse.  The main
question asked was, "Do we have the personnel on staff to keep this
infrastructure up-to-date and running in an optimal manner?"

You should make the worriers aware that a bunch of commercial vendors are
using open source products in their offerings.  If they modify the open
source, it's going back to the community (it's supposed to), in which case
it's going to be available to everyone else (it should be).


On Wed, Nov 25, 2009 at 1:39 AM, Siim Põder <siim () p6drad-teel net> wrote:

> Hi
>
> Tracy Reed wrote:
> > I am. For PCI. No problem. Did the people who suggested something
> > commercial provide any good quantifiable reasons or was it simply
> > cargo-cult network security?
>
> IMO, mostly the latter (the cargo cult one):
> 1) Commercial vendors are sometimes certified to be secure
> 2) Lot's of people are using commercial firewalls for critical
> infrastructure and hence they are better tested
> 3) Commercial vendor can be pushed to produce patches for problems
>
> We currently have iptables on central firewalls and mod_security doing
> application level filtering on webservers themselves. It was suggested
> that a firewall doing SSL termination and content inspection would be
> better because it would have better application-level rulesets
> (namely, protection from common DOS bots was mentioned).
>
> Generally, I dont think they make a very good case. However, I
> promised to ask if there are any other shops using open source
> firewalls out there. Maybe they are just worried to be on the boat
> alone :)
>
> Thanks for your comments!
>
> Siim
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards