Firewall Wizards mailing list archives
Re: Using linux firewalls for PCI compliant infrastructure
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Nov 2009 20:10:17 -0500 (EST)
On Wed, 25 Nov 2009, Siim Põder wrote:
Hi We are using linux-based servers as firewalls for PCI compliant infrastructure. During audits it has been OK so far but security people internally have suggested that maybe a commercial product would be better suited for PCI infrastructure (as it is pretty critical).
Have them articulate *why* they think it would be better-suited in terms of the DSS standard. Have them articulate what security features they think are missing in your current infrastructure, then you can make an informed analysis of how to implement those features (be it with Linux or what have you.) The term "commercial firewall" still probably encompasses over a hundred devices from I dunno- more than fifty vendors- so how anyone who's got any clue about security can make that an argument without detail is beyond me. If they're just looking to spend money, I'd be happy to do a security review! ;)
What do you think, would a commercial firewall provide a tangible improvement in security?
The security policy instituted by the firewall is the biggest thing that impacts security. Second is the layers you're doing security at, but then you have to do apples-to-apples comparisons, and fewer and fewer products are doing high-level filtering that's meaningful these days. Finally, many commercial firewalls are fancy VPN management interfaces and GUIs over Linux systems. But first of all, you need to decide what your policy is, what protections it provides and what your largest threats are, then you need to apply that to the PCI-DSS standard and see where you're at. Every time I do it, I find that I'm much better off spending time on OSSEC on my PCI-compliant hosts than firewall rules.
Is anyone else using linux-based firewalls for PCI (or otherwise > sensitive) infrastructure?
Yes, lots of people are. Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Paul D. Robertson (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Tracy Reed (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Victor Williams (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Marcin Antkiewicz (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Skip Carter (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Kurt Buff (Nov 27)
- Re: Using linux firewalls for PCI compliant infrastructure Anton Chuvakin (Nov 27)