Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PCI Compliance Scope

From: Eric Milam <emilam () coretechsg com>
Date: Thu, 12 Nov 2009 13:34:27 -0800
Its not my decision, last I checked I don't think the PCI Council allowed it as the only form of separation. 




Tracy Reed wrote:

On Thu, Nov 12, 2009 at 12:42:35PM -0800, Eric Milam spake thusly:

Basically the fear are base camps from which to launch an attack.
As Erin stated below, if there are measures in place (not just
vlans) to prevent access from the log machine to the Card Holder
data environment then it may be that the device will be out of
scope.


Why not just VLANs? Do we not trust VLANs or are we worried about VLAN
misconfiguration? Or switch compromise? Cisco commissioned a study by
@Stake (IIRC) which made a pretty good case for VLAN security. Of
course, that may just be Cisco getting the results it paid for. But it
seemed reasonable to me.




------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. 
http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: