Re: Sony: No firewall and no patches

[Tracy Reed <treed () ultraviolet org>]

On Tue, May 10, 2011 at 05:07:39AM +0000, Dobbins, Roland spake thusly:
> Stateful firewalls have no place in front of servers, where every incoming
> request is unsolicited, and therefore there is no state to inspect in the
> first place.

The PCI SSC requires a stateful firewall in front of servers processing credit
card data. Not only to block inbound access to any ports or services
accidentally exposed but the outbound policy must also be default deny to make
it more difficult to exfiltrate stolen data. If you have traffic going out to a
high numbered port and you are not keeping state how do you know if that is a
reply packet to an existing inbound connection or if it is an unauthorized
outbound connection?

Of course, the network should be properly segmented so that only the servers
processing payment data are in-scope. You may be right about not putting a
stateful firewall in front of the gaming servers (in Sony's case).

> Where stateful firewalls in front of Web servers are incorrectly mandated by
> various regulatory frameworks, making use of mod_security or its equivalent
> on the Web servers themselves ensures compliance without creating a DDoS
> chokepoint.

If you don't have a stateful firewall blocking outbound connections why would
the traffic even have to go through mod_security?

-- 
Tracy Reed

Attachment: _bin
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/