Re: Firewalls and PCI

[David Glosser <david_glosser () yahoo com>]

Thanks. I know of one company whose management wants to get rid of the IPS devices in front of their web servers and 
replace them with application firewalls "since we can't afford both and both block the bad stuff".




----- Original Message ----
> From: Jason Alexander <jalexander () plus net>
> To: David Glosser <david_glosser () yahoo com>; security-basics () securityfocus com
> Sent: Wednesday, January 16, 2008 11:03:30 AM
> Subject: RE: Firewalls and PCI
>
>
> > > (PS - can anyone explain in english the difference between an application
> firewall and an IPS device?)
>
> I'm actually trying to decipher the differences too. Most IPS devices now do
> deep packet, layer seven inspection and do web centric prevention. The 2 web
> issues that would cause you to fail PCI compliance would be sql injection and
> XSS. These are normally well covered in most modern IPS solutions. However, PCI
> 1.1 does refer to them individually. Also Juniper have a document
> http://www.juniper.net/solutions/literature/solutionbriefs/351278.pdf that
> states that only their DX web accelerators would satisfy 6.6 on PCI and not
> their IPS solutions.
>
>
> Im still looking into it....
>
>
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of David Glosser
> Sent: 16 January 2008 00:03
> To: security-basics () securityfocus com
> Subject: Re: Firewalls and PCI
>
>
> I'll let others answer the firewall question, but here are other points to
> ponder (I know a lot of this is outside of the area of network design, apologies
> in advance if someone else is covering this)
>
> - Don't forget about the backup or "management"
> network. You can have lots of firewalls, but if the segments are connected on
> the back-end for backups or management, then what's the point ;)
> - Add Intrusion Protection (or at least detection) in your network design
> - Add application firewalls to your design (which can be as simple as apache
> with ModSecurity or a more
> expensive appliance). An application firewall may be
> required anyway in the next major PCI
> compliance revision.
> - Management of different devices can add overhead, but some people like a
> "defense in depth" approach.
> Consider a different model of firewall for your perimiter than the others.
> Consider two different models of IDS/IPS devices. 
> - Are you are required to do "encryption" of data at rest, as well as encryption
> of backup tapes? 
> - consider one of those unified log aggregators
> - consider tripwire of an Host-IDS
> - consider a 24x7 monitoring service. 
> - Is there a data-breach plan in place in case the credit card info gets out?
> - is someone running regular internal and external vulnerability scans?
>
> DG
>
> (PS - can anyone explain in english the difference between an application
> firewall and an IPS device?)
>
>
> --- Josh Haft wrote:
>
> > Hello all,
> >
> > Please consider the following scenario with respect to a) PCI 
> > compliance, b) best practice, and c) your own personal 
> > experiences/implementations.
> >
> > Have been requested by a client to implement separate, physical 
> > firewalls between our various networks. Currently, we have one 
> > physical firewall with interfaces to a public network (after a quick 
> > pass through a router), a LAN, a DMZ, and another network which houses 
> > our database servers. These are all on separate networks, and run 
> > through separate physical switches.
> >
> > The client wants another physical firewall between each subnet. The 
> > new configuration as I see it would have the 'main'
> > firewall NAT'ing
> > and passing traffic from the public network to the DMZ, and to two 
> > additional firewalls. Behind those firewalls would be a LAN and the 
> > separate 'database network', respectively.
> >
> > In our ever-ending quest to bend over for every client, cost (within
> > reason) is not an issue, so disregard that aspect.
> > Comments,
> > questions, and concerns as they relate to this issue would be greatly 
> > appreciated.
> >
> > Thanks!
> > Josh