Penetration Testing mailing list archives

Re: PCI Compliance Scope

From: Tracy Reed <treed () ultraviolet org>
Date: Thu, 12 Nov 2009 13:30:46 -0800

On Thu, Nov 12, 2009 at 12:42:35PM -0800, Eric Milam spake thusly:

Basically the fear are base camps from which to launch an attack.
As Erin stated below, if there are measures in place (not just
vlans) to prevent access from the log machine to the Card Holder
data environment then it may be that the device will be out of
scope.


Why not just VLANs? Do we not trust VLANs or are we worried about VLAN
misconfiguration? Or switch compromise? Cisco commissioned a study by
@Stake (IIRC) which made a pretty good case for VLAN security. Of
course, that may just be Cisco getting the results it paid for. But it
seemed reasonable to me.

-- 
Tracy Reed
http://tracyreed.org

Attachment: _bin
Description:

Current thread:

PCI Compliance Scope Danux (Nov 12)
- RE: PCI Compliance Scope Gary Everekyan (Nov 12)
- RE: PCI Compliance Scope Erin Carroll (Nov 12)
  - Re: PCI Compliance Scope Eric Milam (Nov 12)
    - Re: PCI Compliance Scope Tracy Reed (Nov 12)
    - Re: PCI Compliance Scope Eric Milam (Nov 12)
    - Re: PCI Compliance Scope Danux (Nov 12)
    - Message not available
    - re: PCI Compliance Scope Timothy Shea (Nov 13)
    - Re: PCI Compliance Scope Mohamed Farid (Nov 13)
    - Re: PCI Compliance Scope Gary E. Miller (Nov 13)
    - Re: PCI Compliance Scope rajat swarup (Nov 13)
    - Re: PCI Compliance Scope David M. Zendzian (Nov 13)
    - RE: PCI Compliance Scope Jason Hurst (Nov 13)
    - Re: PCI Compliance Scope Danux (Nov 16)
  - Re: PCI Compliance Scope David Glosser (Nov 12)

(Thread continues...)