Re: Visa PCI Firewall Requirements and Windows Networks

• Previous message: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
• In reply to: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
• Next in thread: Spigga: "Re: Visa PCI Firewall Requirements and Windows Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "Eric Luke" <eric@g2esolutions.com>, <focus-ms@securityfocus.com>
Date: Mon, 9 May 2005 12:19:54 -0700

These servers should be implemented as "standalone" workgroup machines, you
can use local security policy to perform largely all the of the same things
you can do with AD, and lessen the "attack surface" by not using AD at all.
For a handfull of boxes it's overkill and underwarranted.

Further, opening outbound access to the windows update servers (only) or use
Software Update Service (SUS) if you are eally paranoid , and controlling
name resolution (use your own dns servers and secure your hosts file) will
ensure that you can get your updates and not worry about outbound access to
unauthorised destinations.

Manage the machines via encrypted RDP sessions or use a VPN. Enforce SSL
Encryption on your SQL Server http://support.microsoft.com/?kbid=841695

----- Original Message -----
From: "Eric Luke" <eric@g2esolutions.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, May 06, 2005 4:31 PM
Subject: Visa PCI Firewall Requirements and Windows Networks

> Windows Security Experts and registered CISSP's:
> I am helping a company prepare for an upcoming on-site Visa PCI audit (now
> required for high volume companies storing credit card information) and I
> am wrestling with the firewall requirements and how they should be
> implemented in a Windows network.
>
> The requirements state that the card holder data must be protected from
> public networks (Internet) by a 2-tiered firewall architecture, this I can
> understand...the "edge" firewall protects the DMZ servers by limiting
> inbound traffic to selected ports (like 80 and 443) and the second
> firewall between the DMZ and a protected "Trusted Zone" where the
> cardholder data is stored. You now have 2 layers of "security" between
> the data and the Internet.
>
> So, I have set up that architecture and am now working on the rules for
> the firewalls. Lets say that the database servers are the only things
> behind the second firewall. In a perfect simple networking world I would
> now limit incoming and outgoing traffic through that second firewall to
> just the database ports (i.e. - 1433, 1434) and applications that need
> access to the data only need those ports open. Sounds simple...
>
> In a Windows network, Active Directory is a nice thing to have around for
> managing servers. Lets say I have an Active Directory Server in the DMZ
> (or another separate office network segment). If I want my Active
> Directory Server to interact with the Database servers now I need to open
> up port 445 (at least) both directions through the second firewall to have
> that functionality. Reading in "Hacking Exposed" it sounds to me like
> having port 445 opened up into the trusted zone is not the most secure
> thing to do if a hacker has made it through the first firewall and is now
> in the DMZ "poking around".
> How do I solve this dilemma? I would like those servers to be part of
> Active Directory and get the domain security policies, etc. Is there some
> other secure configuration that I am not seeing? If my active directory
> server is not in the DMZ but in a separate office segment I have the same
> problem for the web servers. Seems like port 445 is required in a windows
> network for ease of management...is that going to be interpreted by Visa
> as a "required business protocol"??
> Should I be worried about port 445 being open through that second
> firewall? Would I have to have a separate domain controller in my DMZ and
> the trusted zone?? That seems excessive. Please Help!!!
>
> OK, now my next dilemma is that when I read the PCI requirements it sounds
> like they want me to limit all outgoing traffic from behind the both
> firewalls down to a bare minimum. If I do that how do I get the Windows
> OS on the DMZ and database servers to do autoupdates for security patches,
> etc? (Up-to-date patches is also a PCI requirement.) Is there a PCI
> expert out there that really understands what outbound traffic they are
> really asking to be limited here?
> From reading Hacking Exposed I understand that if a hacker gets some
> trojan placed in the DMZ and the firewall allows all outgoing traffic he
> can do nasty things just having inbound 80 and all outbound ports
> open...so I understand the desire to limit outbound ports but how do you
> do updates...or browse the web for that matter...from inside your network?
> I am guessing I am missing a major conceptual idea here...anybody help
> clear me up???
>
> Thanks tons in advance!
>
> -Eric (alias confused)
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Previous message: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
• In reply to: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
• Next in thread: Spigga: "Re: Visa PCI Firewall Requirements and Windows Networks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]