Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: "Dobbins, Roland" <rdobbins () arbor net>
Date: Tue, 10 May 2011 06:47:58 +0000
On May 10, 2011, at 1:40 PM, Tracy Reed wrote:
If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection?
You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. This is a basic network access policy Best Current Practice (BCP). 'Client-side' traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely different NIC on a completely different, isolated segment with proxies and so forth. And all management access should take place via an OOB/DCN management network, on yet another NIC/segment. And mod_security will pass PCI DSS audits just fine. As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others. It should be re-factored to an outcomes-based model, IMHO. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () arbor net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches James Matthews (May 11)
- Re: Sony: No firewall and no patches The Security Community (May 09)
- Re: Sony: No firewall and no patches Nick FitzGerald (May 09)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Valdis . Kletnieks (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Pete Smith (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Bruno Cesar Moreira de Souza (May 10)