Re: [fw-wiz] PCI DSS & Firewalls



Amen.

Working for a .com e-commerce company, it is the most frustrating thing dealing with this standard. There is some specifics on some sections, and a lot of vagueness in others...the application firewall requirement being the one that ticks me off the most.

If you are reading PCI DSS 1.1, then yeah, "stateful inspection" was the answer. If you're reading PCI DSS 1.2, "application firewall" is the answer. But, they don't define what the "application firewall" is supposed to do and what it's supposed to block/stop/log. I have demo'ed no less than 8 "application firewalls" in the last year, with only two of them actually logging/blocking anything bad. Additionally, there are "application firewalls" out there that do nothing more than match IDS signatures and block them.

PCI DSS is pretty sad. They could have taken another already-established standard with some brains behind it and adopted it instead...just said, you must follow "OrgA" standards for system hardening and auditing and whatnot...called it a day.

Paul D. Robertson wrote:
Is it just me, or do the PCI DSS "standards" for firewalls look like someone played "I have a CISSP" buzzword bingo?

Do the PCI folks _really_ think "stateful inspection" is the answer, and isn't that a Checkpoint trademark anyway?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards




_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: LP Standard
    ... A very genuine and real Les Paul can have any kinda truss ... become a Standard if a Standard truss rod cover is put on it, ... know you can replace truss rod covers. ... truss rod covers, you probably wouldn't be so quick to judge a guitar, ...
    (alt.guitar)
  • Re: Questions about Arabic phonology
    ... Paul wrote: ... >> is an emphatic d in modern standard arabic. ... (Badawi level II), and also the colloquials. ...
    (sci.lang)
  • Re: Battle against the Quotes
    ... Paul O'Malley's leg is 3" shorter than it's standard length. ... > good old HTML that falls foul of the quotes. ...
    (microsoft.public.inetserver.asp.db)
  • Re: LP Standard
    ... the word Standard had everyone reaching for the definition of a Les Paul. ... Standard truss rod cover is put on it, but the folks in here looking at ...
    (alt.guitar)
  • Re: Application Focus
    ... but maybe you can fake something together (if in power state A for an extra ... > Thanks for the reply Paul... ... >> The hardest part is going to be detecting 'no activity'. ... there's no standard way to ...
    (microsoft.public.dotnet.framework.compactframework)