Firewall Wizards mailing list archives
Re: Using linux firewalls for PCI compliant infrastructure
From: Victor Williams <vbwilliams () gmail com>
Date: Wed, 25 Nov 2009 07:41:06 -0600
I generally believe that is due to lack of knowledge. If the knowledge of the solution rests in you alone, and you quit, get hit by a truck, get swine flu and are out of commission, etc, then they have no one to go back and get support from other than you and whatever they can find on the iptables website or some other Google search. Most management want a very defined support structure in place. I am in the weird position of being a manager/director, but also being a person that has to do hands-on upkeep of the systems I oversee management and security of. I could have rolled my own solution from the top down...from "stateful firewall" to "application firewall" to load balancer, etc. I opted for all relatively well-known solutions (some retail, some open source)because if I decided to leave the organization, they wouldn't be stuck. The few managers above me were generally more tuned in to spending dollars on solutions with a commercial support structure vs spending time on a free solution that required them to have a RHCE or other Linux guru on hand to figure out. That all being said, I don't see an overall difference in the quality of products in what you're using vs others that are commercial. There are open source ways to do everything you need (where PCI is concerned) from the edge all the way back to the core router/switch. It's just a matter of risk in my opinion. The risk isn't really in what you're using...it's if all of that knowledge rests in one place and could be unavailable to the rest of the organization if one person left...at least that's what I'd be thinking about from a management perspective. In the organization I work in (online retailer), we've implemented a mix, based on which product(s) were the most widely and easily supported. DNS, SFTP/FTPS, PKI, Firewalls, load-balancers, web, etc. Some of them are open source solutions, some are proprietary/retail, based on risk and knowledge of on-hand stuff. I don't see any of them as better/worse. The main question asked was, "Do we have the personnel on staff to keep this infrastructure up-to-date and running in an optimal manner?" You should make the worriers aware that a bunch of commercial vendors are using open source products in their offerings. If they modify the open source, it's going back to the community (it's supposed to), in which case it's going to be available to everyone else (it should be). On Wed, Nov 25, 2009 at 1:39 AM, Siim Põder <siim () p6drad-teel net> wrote:
Hi Tracy Reed wrote:I am. For PCI. No problem. Did the people who suggested something commercial provide any good quantifiable reasons or was it simply cargo-cult network security?IMO, mostly the latter (the cargo cult one): 1) Commercial vendors are sometimes certified to be secure 2) Lot's of people are using commercial firewalls for critical infrastructure and hence they are better tested 3) Commercial vendor can be pushed to produce patches for problems We currently have iptables on central firewalls and mod_security doing application level filtering on webservers themselves. It was suggested that a firewall doing SSL termination and content inspection would be better because it would have better application-level rulesets (namely, protection from common DOS bots was mentioned). Generally, I dont think they make a very good case. However, I promised to ask if there are any other shops using open source firewalls out there. Maybe they are just worried to be on the boat alone :) Thanks for your comments! Siim _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Paul D. Robertson (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Tracy Reed (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Victor Williams (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Marcin Antkiewicz (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Skip Carter (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Kurt Buff (Nov 27)
- Re: Using linux firewalls for PCI compliant infrastructure Anton Chuvakin (Nov 27)