Re: Firewalls and PCI

Thanks. I know of one company whose management wants to get rid of the IPS devices in front of their web servers and replace them with application firewalls "since we can't afford both and both block the bad stuff".




----- Original Message ----
From: Jason Alexander <jalexander@xxxxxxxx>
To: David Glosser <david_glosser@xxxxxxxxx>; security-basics@xxxxxxxxxxxxxxxxx
Sent: Wednesday, January 16, 2008 11:03:30 AM
Subject: RE: Firewalls and PCI


(PS - can anyone explain in english the difference between an application
firewall and an IPS device?)

I'm actually trying to decipher the differences too. Most IPS devices now do
deep packet, layer seven inspection and do web centric prevention. The 2 web
issues that would cause you to fail PCI compliance would be sql injection and
XSS. These are normally well covered in most modern IPS solutions. However, PCI
1.1 does refer to them individually. Also Juniper have a document
http://www.juniper.net/solutions/literature/solutionbriefs/351278.pdf that
states that only their DX web accelerators would satisfy 6.6 on PCI and not
their IPS solutions.


Im still looking into it....



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of David Glosser
Sent: 16 January 2008 00:03
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Firewalls and PCI


I'll let others answer the firewall question, but here are other points to
ponder (I know a lot of this is outside of the area of network design, apologies
in advance if someone else is covering this)

- Don't forget about the backup or "management"
network. You can have lots of firewalls, but if the segments are connected on
the back-end for backups or management, then what's the point ;)
- Add Intrusion Protection (or at least detection) in your network design
- Add application firewalls to your design (which can be as simple as apache
with ModSecurity or a more
expensive appliance). An application firewall may be
required anyway in the next major PCI
compliance revision.
- Management of different devices can add overhead, but some people like a
"defense in depth" approach.
Consider a different model of firewall for your perimiter than the others.
Consider two different models of IDS/IPS devices.
- Are you are required to do "encryption" of data at rest, as well as encryption
of backup tapes?
- consider one of those unified log aggregators
- consider tripwire of an Host-IDS
- consider a 24x7 monitoring service.
- Is there a data-breach plan in place in case the credit card info gets out?
- is someone running regular internal and external vulnerability scans?

DG

(PS - can anyone explain in english the difference between an application
firewall and an IPS device?)


--- Josh Haft wrote:

Hello all,

Please consider the following scenario with respect to a) PCI
compliance, b) best practice, and c) your own personal
experiences/implementations.

Have been requested by a client to implement separate, physical
firewalls between our various networks. Currently, we have one
physical firewall with interfaces to a public network (after a quick
pass through a router), a LAN, a DMZ, and another network which houses
our database servers. These are all on separate networks, and run
through separate physical switches.

The client wants another physical firewall between each subnet. The
new configuration as I see it would have the 'main'
firewall NAT'ing
and passing traffic from the public network to the DMZ, and to two
additional firewalls. Behind those firewalls would be a LAN and the
separate 'database network', respectively.

In our ever-ending quest to bend over for every client, cost (within
reason) is not an issue, so disregard that aspect.
Comments,
questions, and concerns as they relate to this issue would be greatly
appreciated.

Thanks!
Josh



Relevant Pages

  • RE: Firewalls and PCI
    ... not even know about how many firewalls you have and their location. ... Subject: Firewalls and PCI ... PCI does not mandate or even suggest anything regarding network ... So in the context of network segmentation this means separating your ...
    (Security-Basics)
  • Re: Re: RE: RE: IDS vs. IPS deployment feedback
    ... Firewalls and IPS has the same characteristics in that if either one stops working, ... If deployed correctly an IPS should not completely shut down a network. ... Test Your IDS ...
    (Focus-IDS)
  • Re: Spimware infection
    ... > I work for Kent State university and their network scan came up with the IPs and host names of my firewalls, as well as some other hosts on my subnet that were not behind the firewall...can you give me any advice? ... How do you discover that the firewalls have been compromised? ...
    (freebsd-questions)
  • RE: [fw-wiz] Firewalls v. Router ACLs
    ... people to take in consideration in network design and layout. ... here and the old firewalls list often emphasized an approach that avoided ... The logging alert features alone turn this layer into a IDS as ... > An appropriately sized router will not have any performance problems. ...
    (Firewall-Wizards)
  • [fw-wiz] IDS/IPS and LOGS
    ... nasty behavior is happening on your network (where your network is ... easily turn your IPS into a big denial of service attack. ... My guess is that most of the Worlds firewalls and IDS/IPS only have half ... I noticed that there is a big emphasis on log parsing while there should ...
    (Firewall-Wizards)