Re: Using linux firewalls for PCI compliant infrastructure

[Anton Chuvakin <anton () chuvakin org>]

> We are using linux-based servers as firewalls for PCI compliant
> infrastructure. During audits it has been OK so far but security
> people internally have suggested that maybe a commercial product would
> be better suited for PCI infrastructure (as it is pretty critical).

First things first: in PCI DSS, a firewall is a firewall is a
firewall. There is no preference to free or commercial ones. The only
criteria is "stateful" (somewhere in 1.1, if I recall correctly)

> What do you think, would a commercial firewall provide a tangible
> improvement in security?

Too close to being a religious debate.

> Is anyone else using linux-based firewalls for PCI (or otherwise
> sensitive) infrastructure?

Yes, I've seen people use iptables in 1.1 and in 1.4 (as personal firewall)

-- 
Dr. Anton Chuvakin
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
LinkedIn: http://www.linkedin.com/in/chuvakin
Twitter: @anton_chuvakin
Google Voice: 510-771-7106
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards