Firewall Wizards mailing list archives

Re: Using linux firewalls for PCI compliant infrastructure

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 24 Nov 2009 20:10:17 -0500 (EST)

On Wed, 25 Nov 2009, Siim Põder wrote:

Hi

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been OK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).


Have them articulate *why* they think it would be better-suited in terms 
of the DSS standard.  Have them articulate what security features they 
think are missing in your current infrastructure, then you can make an 
informed analysis of how to implement those features (be it with Linux or 
what have you.)  The term "commercial firewall" still probably encompasses 
over a hundred devices from I dunno- more than fifty vendors- so how 
anyone who's got any clue about security can make that an argument without 
detail is beyond me.  If they're just looking to spend money, I'd be happy 
to do a security review! ;)

What do you think, would a commercial firewall provide a tangible
improvement in security?


The security policy instituted by the firewall is the biggest thing that 
impacts security.  Second is the layers you're doing security at, but then 
you have to do apples-to-apples comparisons, and fewer and fewer products 
are doing high-level filtering that's meaningful these days.  Finally, 
many commercial firewalls are fancy VPN management interfaces and GUIs 
over Linux systems.  But first of all, you need to decide what your policy 
is, what protections it provides and what your largest threats are, then 
you need to apply that to the PCI-DSS standard and see where you're at.  
Every time I do it, I find that I'm much better off spending time on OSSEC 
on my PCI-compliant hosts than firewall rules.

Is anyone else using linux-based firewalls for PCI (or otherwise > sensitive)
infrastructure?


Yes, lots of people are.

Paul 
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
           Moderator: Firewall-Wizards mailing list
           Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Paul D. Robertson (Nov 24)
- Re: Using linux firewalls for PCI compliant infrastructure Tracy Reed (Nov 24)
  - Re: Using linux firewalls for PCI compliant infrastructure Siim Põder (Nov 25)
    - Re: Using linux firewalls for PCI compliant infrastructure Victor Williams (Nov 25)
    - Re: Using linux firewalls for PCI compliant infrastructure Marcin Antkiewicz (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Skip Carter (Nov 25)
- Re: Using linux firewalls for PCI compliant infrastructure Kurt Buff (Nov 27)
- Re: Using linux firewalls for PCI compliant infrastructure Anton Chuvakin (Nov 27)