Search This Blog

Thursday, November 26, 2009

firewall-wizards Digest, Vol 43, Issue 7

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Re: Using linux firewalls for PCI compliant infrastructure
(Victor Williams)
2. Re: Using linux firewalls for PCI compliant infrastructure
(Marcin Antkiewicz)
3. Re: Using linux firewalls for PCI compliant infrastructure
(Skip Carter)


----------------------------------------------------------------------

Message: 1
Date: Wed, 25 Nov 2009 07:41:06 -0600
From: Victor Williams <vbwilliams@gmail.com>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<ed9c612d0911250541v4b7a42d2o46482615aff80ddf@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"

I generally believe that is due to lack of knowledge. If the knowledge of
the solution rests in you alone, and you quit, get hit by a truck, get swine
flu and are out of commission, etc, then they have no one to go back and get
support from other than you and whatever they can find on the iptables
website or some other Google search. Most management want a very defined
support structure in place.

I am in the weird position of being a manager/director, but also being a
person that has to do hands-on upkeep of the systems I oversee management
and security of. I could have rolled my own solution from the top
down...from "stateful firewall" to "application firewall" to load balancer,
etc. I opted for all relatively well-known solutions (some retail, some
open source)because if I decided to leave the organization, they wouldn't be
stuck.

The few managers above me were generally more tuned in to spending dollars
on solutions with a commercial support structure vs spending time on a free
solution that required them to have a RHCE or other Linux guru on hand to
figure out.

That all being said, I don't see an overall difference in the quality of
products in what you're using vs others that are commercial. There are open
source ways to do everything you need (where PCI is concerned) from the edge
all the way back to the core router/switch. It's just a matter of risk in
my opinion. The risk isn't really in what you're using...it's if all of
that knowledge rests in one place and could be unavailable to the rest of
the organization if one person left...at least that's what I'd be thinking
about from a management perspective.

In the organization I work in (online retailer), we've implemented a mix,
based on which product(s) were the most widely and easily supported. DNS,
SFTP/FTPS, PKI, Firewalls, load-balancers, web, etc. Some of them are open
source solutions, some are proprietary/retail, based on risk and knowledge
of on-hand stuff. I don't see any of them as better/worse. The main
question asked was, "Do we have the personnel on staff to keep this
infrastructure up-to-date and running in an optimal manner?"

You should make the worriers aware that a bunch of commercial vendors are
using open source products in their offerings. If they modify the open
source, it's going back to the community (it's supposed to), in which case
it's going to be available to everyone else (it should be).


On Wed, Nov 25, 2009 at 1:39 AM, Siim P?der <siim@p6drad-teel.net> wrote:

> Hi
>
> Tracy Reed wrote:
> > I am. For PCI. No problem. Did the people who suggested something
> > commercial provide any good quantifiable reasons or was it simply
> > cargo-cult network security?
>
> IMO, mostly the latter (the cargo cult one):
> 1) Commercial vendors are sometimes certified to be secure
> 2) Lot's of people are using commercial firewalls for critical
> infrastructure and hence they are better tested
> 3) Commercial vendor can be pushed to produce patches for problems
>
> We currently have iptables on central firewalls and mod_security doing
> application level filtering on webservers themselves. It was suggested
> that a firewall doing SSL termination and content inspection would be
> better because it would have better application-level rulesets
> (namely, protection from common DOS bots was mentioned).
>
> Generally, I dont think they make a very good case. However, I
> promised to ask if there are any other shops using open source
> firewalls out there. Maybe they are just worried to be on the boat
> alone :)
>
> Thanks for your comments!
>
> Siim
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091125/e877d7e4/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 25 Nov 2009 09:40:04 -0600
From: Marcin Antkiewicz <firewallwizards@kajtek.org>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<7ed5f2120911250740m4c8bf735m5acd11be08dc77d9@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1

>> I am. For PCI. No problem. Did the people who suggested something
>> commercial provide any good quantifiable reasons or was it simply
>> cargo-cult network security?

It's not cargo cult or, at least, it does not have to be. Commercial solutions
are normalized, or at least appear as such to the general population, such as
your auditors. From your perspective it might, rightfully, seem like a misplaced
effort, while the security folks could report to many masters and have another
set of requirements (cost of compliance vs. your more technical metrics).

Before I get shot: I am not arguing that the audit score is a measure
of security.

My wild guess is that your security folks believe that a WAF, or
whatever they want
to put in, would make the auditors happy, therefore it would address one of the
risks they are facing. On technical field, WAFs are double edged sword and
lure people into a band-aid treadmill, where they fix countless symptoms
(XSS patches) rather than the often dangerous and hard to address
disease (SDLC).

At the same time, the audit risk is far more tangible and predictable
than whatever
might happen due to scraping your custom system in favor of buying
some off-the-shelf
wonder. I would call this a substandard risk management, but many
companies seems
to thrive on such approach....

Again, just playing the devil's advocate here.

--
Marcin Antkiewicz


------------------------------

Message: 3
Date: Wed, 25 Nov 2009 16:05:49 -0800
From: Skip Carter <skip@taygeta.com>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20091125160549.82940b26.skip@taygeta.com>
Content-Type: text/plain; charset=ISO-8859-1

On Wed, 25 Nov 2009 00:37:07 +0200
Siim P?der <siim@p6drad-teel.net> wrote:

>
> We are using linux-based servers as firewalls for PCI compliant
> infrastructure. During audits it has been OK so far but security
> people internally have suggested that maybe a commercial product would
> be better suited for PCI infrastructure (as it is pretty critical).
>
> I'm personally very happy with the iptables firewalls - we can use all
> the standard components for firewalls that we use for everything else
> (including standard administration methods, patching and so forth).
>
> What do you think, would a commercial firewall provide a tangible
> improvement in security?
> Is anyone else using linux-based firewalls for PCI (or otherwise
> sensitive) infrastructure?

You could have your cake and eat it too by purchasing a shrink-wrap
Linux firewall. I have a client that had a regulatory requirement
to use an ICSA certified firewall and was able to satisfy that
requirement with one of those commercial Linux firewalls.


--
Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647
Taygeta Scientific Inc. e-mail: skip@taygeta.com
1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com
Monterey, CA. 93940

------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 43, Issue 7
***********************************************

No comments: