Firewall Wizards mailing list archives
Re: Using linux firewalls for PCI compliant infrastructure
From: Marcin Antkiewicz <firewallwizards () kajtek org>
Date: Wed, 25 Nov 2009 09:40:04 -0600
I am. For PCI. No problem. Did the people who suggested something commercial provide any good quantifiable reasons or was it simply cargo-cult network security?
It's not cargo cult or, at least, it does not have to be. Commercial solutions are normalized, or at least appear as such to the general population, such as your auditors. From your perspective it might, rightfully, seem like a misplaced effort, while the security folks could report to many masters and have another set of requirements (cost of compliance vs. your more technical metrics). Before I get shot: I am not arguing that the audit score is a measure of security. My wild guess is that your security folks believe that a WAF, or whatever they want to put in, would make the auditors happy, therefore it would address one of the risks they are facing. On technical field, WAFs are double edged sword and lure people into a band-aid treadmill, where they fix countless symptoms (XSS patches) rather than the often dangerous and hard to address disease (SDLC). At the same time, the audit risk is far more tangible and predictable than whatever might happen due to scraping your custom system in favor of buying some off-the-shelf wonder. I would call this a substandard risk management, but many companies seems to thrive on such approach.... Again, just playing the devil's advocate here. -- Marcin Antkiewicz _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Paul D. Robertson (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Tracy Reed (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Victor Williams (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Marcin Antkiewicz (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Skip Carter (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Kurt Buff (Nov 27)
- Re: Using linux firewalls for PCI compliant infrastructure Anton Chuvakin (Nov 27)