Security Basics mailing list archives

Re: Firewalls and PCI

From: "Jon R. Kibler" <Jon.Kibler () aset com>
Date: Tue, 15 Jan 2008 22:54:27 +0000

Josh Haft wrote:

Hello all,

Please consider the following scenario with respect to a) PCI
compliance, b) best practice, and c) your own personal
experiences/implementations.

Have been requested by a client to implement separate, physical
firewalls between our various networks. Currently, we have one
physical firewall with interfaces to a public network (after a quick
pass through a router), a LAN, a DMZ, and another network which houses
our database servers. These are all on separate networks, and run
through separate physical switches.

The client wants another physical firewall between each subnet. The
new configuration as I see it would have the 'main' firewall NAT'ing
and passing traffic from the public network to the DMZ, and to two
additional firewalls. Behind those firewalls would be a LAN and the
separate 'database network', respectively.

In our ever-ending quest to bend over for every client, cost (within
reason) is not an issue, so disregard that aspect. Comments,
questions, and concerns as they relate to this issue would be greatly
appreciated.

Thanks!
Josh


You have a VERY SMART client!!

This is an architecture I have been pushing for years: Isolate every
individual zone of security with a firewall.

Another issue I see consistently ignored: You NEVER have a clue who is
on any DHCP network. Therefore, anything running DHCP should be on a
physically separate network that is considered only very very slightly
more trusted than the Internet. And needless to say, this network must
be isolated from the rest of the organization's internal network using
a firewall. Also, please note that the same applies to ANYTHING wireless.

I have an organization where I have just implemented a multi-location
network, and each location's LAN is isolated on the WAN via a firewall
(and one or two routers) from the rest of the WAN. Any site with exposed
services has an Internet-facing router, a hardware firewall, DMZ servers,
a hardware firewall, the LAN, and on LAN:
   a) a hardware firewall that isolates WAN/LAN servers
   b) a hardware firewall that isolates the site from the WAN, and the
      WAN router
   c) a hardware firewall that isolates a DHCP network.

Finally, EVERY host should have a good (e.g., not M$) firewall. I am
very please with Sophos' end point security product in this respect.

Hope this helps! (And pay attention to your client's good ideas!)

Jon Kibler
--
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
(843) 849-8214





==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.

Current thread:

Firewalls and PCI Josh Haft (Jan 15)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
  - Re: Firewalls and PCI Brian Johnson (Jan 16)
    - Re: Firewalls and PCI Jon R. Kibler (Jan 16)
    - RE: Firewalls and PCI Craig Wright (Jan 16)
    - RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI David Glosser (Jan 16)
  - RE: Firewalls and PCI Jason Alexander (Jan 16)
- <Possible follow-ups>
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
  - Re: Re: Firewalls and PCI Josh Haft (Jan 16)
    - Message not available
    - Re: Firewalls and PCI Lyle Worthington (Jan 17)
    - RE: Re: Firewalls and PCI Honer, Lance (Jan 18)

(Thread continues...)