Re: [fw-wiz] Using linux firewalls for PCI compliant infrastructure

On Wed, 25 Nov 2009, Siim Põder wrote:


We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been OK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

Have them articulate *why* they think it would be better-suited in terms
of the DSS standard. Have them articulate what security features they
think are missing in your current infrastructure, then you can make an
informed analysis of how to implement those features (be it with Linux or
what have you.) The term "commercial firewall" still probably encompasses
over a hundred devices from I dunno- more than fifty vendors- so how
anyone who's got any clue about security can make that an argument without
detail is beyond me. If they're just looking to spend money, I'd be happy
to do a security review! ;)

What do you think, would a commercial firewall provide a tangible
improvement in security?

The security policy instituted by the firewall is the biggest thing that
impacts security. Second is the layers you're doing security at, but then
you have to do apples-to-apples comparisons, and fewer and fewer products
are doing high-level filtering that's meaningful these days. Finally,
many commercial firewalls are fancy VPN management interfaces and GUIs
over Linux systems. But first of all, you need to decide what your policy
is, what protections it provides and what your largest threats are, then
you need to apply that to the PCI-DSS standard and see where you're at.
Every time I do it, I find that I'm much better off spending time on OSSEC
on my PCI-compliant hosts than firewall rules.

Is anyone else using linux-based firewalls for PCI (or otherwise > sensitive)

Yes, lots of people are.

Paul D. Robertson "My statements in this message are personal opinions
paul@xxxxxxxxxxxx which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • [REVS] Bypassing Client Application Protection Techniques
    ... Get your security news from a reliable source. ... protection programs. ... * Kerio Personal Firewall 4.0 ... And we got actually nothing in the field of client application ...
  • Re: Recycler security issues on IIS server
    ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ...
  • Re:RE : suggestions on a good firewall
    ... Subject: RE: suggestions on a good firewall ... CheckPoint does! ... with a url-filtering server. ... IT Technical Security Officer ...
  • Why hasnt Symantec addressed nastier Messenger spoofs
    ... Norton / Symantec has been silent on whether Norton Internet Security ... DSL firewall will stop these kinds of pop-ups. ... major ISPs and broadband systems. ...
  • Re: Service pack 2 (XP)
    ... I have a 'theory' that SP2 has a LOT to do with firewall and new browser ... besides those security features. ... The operative word is SPYWARE. ...