Re: Visa PCI Firewall Requirements and Windows Networks
From: Spigga (spigga_at_gmail.com)
Date: 05/09/05
- Previous message: Greg Stiavetti: "Re: Visa PCI Firewall Requirements and Windows Networks"
- In reply to: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 9 May 2005 16:17:16 -0500 To: Eric Luke <eric@g2esolutions.com>
We are subject to these requirements as well. For AD its possible to
join a machine to the domain, get the group policy, cache login
credentials then block those ports, this will allow you to enforce the
GP without the risk of open ports or a DC in the DMZ.
Outbound access should be minimized but if windows update is your
patching method I would allow traffic explicitly to the list of
windows update servers, can't be too hard to find. I recommend using
alternative tools on trusted servers to patch your machine. Even home
grown scripts, anything that will allow you to open one or two ports
to/from a specific machine on a trusted network rather than to the
Internet.
On 5/6/05, Eric Luke <eric@g2esolutions.com> wrote:
> Windows Security Experts and registered CISSP's:
> I am helping a company prepare for an upcoming on-site Visa PCI audit
> (now required for high volume companies storing credit card information)
> and I am wrestling with the firewall requirements and how they should be
> implemented in a Windows network.
>
> The requirements state that the card holder data must be protected from
> public networks (Internet) by a 2-tiered firewall architecture, this I
> can understand...the "edge" firewall protects the DMZ servers by
> limiting inbound traffic to selected ports (like 80 and 443) and the
> second firewall between the DMZ and a protected "Trusted Zone" where the
> cardholder data is stored. You now have 2 layers of "security" between
> the data and the Internet.
>
> So, I have set up that architecture and am now working on the rules for
> the firewalls. Lets say that the database servers are the only things
> behind the second firewall. In a perfect simple networking world I
> would now limit incoming and outgoing traffic through that second
> firewall to just the database ports (i.e. - 1433, 1434) and applications
> that need access to the data only need those ports open. Sounds simple...
>
> In a Windows network, Active Directory is a nice thing to have around
> for managing servers. Lets say I have an Active Directory Server in the
> DMZ (or another separate office network segment). If I want my Active
> Directory Server to interact with the Database servers now I need to
> open up port 445 (at least) both directions through the second firewall
> to have that functionality. Reading in "Hacking Exposed" it sounds to
> me like having port 445 opened up into the trusted zone is not the most
> secure thing to do if a hacker has made it through the first firewall
> and is now in the DMZ "poking around".
>
> How do I solve this dilemma? I would like those servers to be part of
> Active Directory and get the domain security policies, etc. Is there
> some other secure configuration that I am not seeing? If my active
> directory server is not in the DMZ but in a separate office segment I
> have the same problem for the web servers. Seems like port 445 is
> required in a windows network for ease of management...is that going to
> be interpreted by Visa as a "required business protocol"??
> Should I be worried about port 445 being open through that second
> firewall? Would I have to have a separate domain controller in my DMZ
> and the trusted zone?? That seems excessive. Please Help!!!
>
> OK, now my next dilemma is that when I read the PCI requirements it
> sounds like they want me to limit all outgoing traffic from behind the
> both firewalls down to a bare minimum. If I do that how do I get the
> Windows OS on the DMZ and database servers to do autoupdates for
> security patches, etc? (Up-to-date patches is also a PCI requirement.)
> Is there a PCI expert out there that really understands what outbound
> traffic they are really asking to be limited here?
>
> From reading Hacking Exposed I understand that if a hacker gets some
> trojan placed in the DMZ and the firewall allows all outgoing traffic he
> can do nasty things just having inbound 80 and all outbound ports
> open...so I understand the desire to limit outbound ports but how do you
> do updates...or browse the web for that matter...from inside your network?
>
> I am guessing I am missing a major conceptual idea here...anybody help
> clear me up???
>
> Thanks tons in advance!
>
> -Eric (alias confused)
>
> ---------------------------------------------------------------------------
> ---------------------------------------------------------------------------
>
>
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: Greg Stiavetti: "Re: Visa PCI Firewall Requirements and Windows Networks"
- In reply to: Eric Luke: "Visa PCI Firewall Requirements and Windows Networks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
