Re: [fw-wiz] Using linux firewalls for PCI compliant infrastructure

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been OK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

First things first: in PCI DSS, a firewall is a firewall is a
firewall. There is no preference to free or commercial ones. The only
criteria is "stateful" (somewhere in 1.1, if I recall correctly)

What do you think, would a commercial firewall provide a tangible
improvement in security?

Too close to being a religious debate.

Is anyone else using linux-based firewalls for PCI (or otherwise
sensitive) infrastructure?

Yes, I've seen people use iptables in 1.1 and in 1.4 (as personal firewall)

Dr. Anton Chuvakin
Twitter: @anton_chuvakin
Google Voice: 510-771-7106
firewall-wizards mailing list