Security Basics mailing list archives
RE: Firewalls and PCI
From: <Anthony_Cicalla () McAfee com>
Date: Tue, 18 Nov 2008 10:12:59 -0800
If you simply did proper input validation in your application you would be able to make your systems secure without the web application firewall. We certify people pci compliant that do not have web application firewalls all of the time. Do a proper code review of your web application and make sure all data even if it doesn't come from the end user is validated. If you have a product id number, don't accept anything accept 0-9 it's really that simple. Sql injection is a vulnerability in the coding of your web application fix the source of the problem instead of using a band aid provided by some other company. If you need to know how to test your web application go to www.owasp.com and look at their methodology. They even show you examples of how to test for each vuln in their methodology. Sincerely, Anthony Cicalla, CNA, CEH, CISSP, GSNA, MCP, SCTA Research Scientist McAfee, Inc. 535 Oakmead Pkwy Sunnyvale, CA 94085 408.992.8300 Main 408.992.8441 Direct 408.720.8450 Fax 925-262-7565 Cell Anthony_Cicalla () mcafee com www.Mcafeesecure.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Jason Alexander Sent: Wednesday, January 16, 2008 8:04 AM To: David Glosser; security-basics () securityfocus com Subject: RE: Firewalls and PCI
(PS - can anyone explain in english the difference between an application
firewall and an IPS device?) I'm actually trying to decipher the differences too. Most IPS devices now do deep packet, layer seven inspection and do web centric prevention. The 2 web issues that would cause you to fail PCI compliance would be sql injection and XSS. These are normally well covered in most modern IPS solutions. However, PCI 1.1 does refer to them individually. Also Juniper have a document http://www.juniper.net/solutions/literature/solutionbriefs/351278.pdf that states that only their DX web accelerators would satisfy 6.6 on PCI and not their IPS solutions. Im still looking into it.... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of David Glosser Sent: 16 January 2008 00:03 To: security-basics () securityfocus com Subject: Re: Firewalls and PCI I'll let others answer the firewall question, but here are other points to ponder (I know a lot of this is outside of the area of network design, apologies in advance if someone else is covering this) - Don't forget about the backup or "management" network. You can have lots of firewalls, but if the segments are connected on the back-end for backups or management, then what's the point ;) - Add Intrusion Protection (or at least detection) in your network design - Add application firewalls to your design (which can be as simple as apache with ModSecurity or a more expensive appliance). An application firewall may be required anyway in the next major PCI compliance revision. - Management of different devices can add overhead, but some people like a "defense in depth" approach. Consider a different model of firewall for your perimiter than the others. Consider two different models of IDS/IPS devices. - Are you are required to do "encryption" of data at rest, as well as encryption of backup tapes? - consider one of those unified log aggregators - consider tripwire of an Host-IDS - consider a 24x7 monitoring service. - Is there a data-breach plan in place in case the credit card info gets out? - is someone running regular internal and external vulnerability scans? DG (PS - can anyone explain in english the difference between an application firewall and an IPS device?) --- Josh Haft <pacmansyu () gmail com> wrote:
Hello all, Please consider the following scenario with respect to a) PCI compliance, b) best practice, and c) your own personal experiences/implementations. Have been requested by a client to implement separate, physical firewalls between our various networks. Currently, we have one physical firewall with interfaces to a public network (after a quick pass through a router), a LAN, a DMZ, and another network which houses our database servers. These are all on separate networks, and run through separate physical switches. The client wants another physical firewall between each subnet. The new configuration as I see it would have the 'main' firewall NAT'ing and passing traffic from the public network to the DMZ, and to two additional firewalls. Behind those firewalls would be a LAN and the separate 'database network', respectively. In our ever-ending quest to bend over for every client, cost (within reason) is not an issue, so disregard that aspect. Comments, questions, and concerns as they relate to this issue would be greatly appreciated. Thanks! Josh
Attachment:
smime.p7s
Description:
Current thread:
- RE: Firewalls and PCI Anthony_Cicalla (Nov 19)