Full Disclosure mailing list archives
Re: Sony: No firewall and no patches
From: "Ivan ." <ivanhec () gmail com>
Date: Tue, 10 May 2011 16:48:45 +1000
doesn't it also mandate the encryption of CC info? requirement 4 Encrypting and Storing Credit Card Data plenty of reports that the data was not encrypted, and also plenty that say it was. On Tue, May 10, 2011 at 4:40 PM, Tracy Reed <treed () ultraviolet org> wrote:
On Tue, May 10, 2011 at 05:07:39AM +0000, Dobbins, Roland spake thusly:Stateful firewalls have no place in front of servers, where everyincomingrequest is unsolicited, and therefore there is no state to inspect in the first place.The PCI SSC requires a stateful firewall in front of servers processing credit card data. Not only to block inbound access to any ports or services accidentally exposed but the outbound policy must also be default deny to make it more difficult to exfiltrate stolen data. If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a reply packet to an existing inbound connection or if it is an unauthorized outbound connection? Of course, the network should be properly segmented so that only the servers processing payment data are in-scope. You may be right about not putting a stateful firewall in front of the gaming servers (in Sony's case).Where stateful firewalls in front of Web servers are incorrectly mandatedbyvarious regulatory frameworks, making use of mod_security or itsequivalenton the Web servers themselves ensures compliance without creating a DDoS chokepoint.If you don't have a stateful firewall blocking outbound connections why would the traffic even have to go through mod_security? -- Tracy Reed _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Sony: No firewall and no patches, (continued)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Christian Sciberras (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches James Matthews (May 11)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches The Security Community (May 09)
- Re: Sony: No firewall and no patches Nick FitzGerald (May 09)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Ivan . (May 09)
- Re: Sony: No firewall and no patches Valdis . Kletnieks (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 09)
- Re: Sony: No firewall and no patches Tracy Reed (May 09)
- Re: Sony: No firewall and no patches Pete Smith (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)
- Re: Sony: No firewall and no patches Thor (Hammer of God) (May 10)
- Re: Sony: No firewall and no patches Dobbins, Roland (May 10)