Re: Using linux firewalls for PCI compliant infrastructure

[Marcin Antkiewicz <firewallwizards () kajtek org>]

> > I am. For PCI. No problem. Did the people who suggested something
> > commercial provide any good quantifiable reasons or was it simply
> > cargo-cult network security?

It's not cargo cult or, at least, it does not have to be. Commercial solutions
are normalized, or at least appear as such to the general population, such as
your auditors. From your perspective it might, rightfully, seem like a misplaced
effort, while the security folks could report to many masters and have another
set of requirements (cost of compliance vs. your more technical metrics).

Before I get shot: I am not arguing that the audit score is a measure
of security.

My wild guess is that your security folks believe that a WAF, or
whatever they want
to put in, would make the auditors happy, therefore it would address one of the
risks they are facing. On technical field, WAFs are double edged sword and
lure people into a band-aid treadmill, where they fix countless symptoms
(XSS patches) rather than the often dangerous and hard to address
disease (SDLC).

At the same time, the audit risk is far more tangible and predictable
than whatever
might happen due to scraping your custom system in favor of buying
some off-the-shelf
wonder. I would call this a substandard risk management, but many
companies seems
to thrive on such approach....

Again, just playing the devil's advocate here.

--
Marcin Antkiewicz
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards