firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (miedaner)
2. Re: PCI DSS & Firewalls (Mark)
3. Re: PCI DSS & Firewalls (Jim Seymour)
4. Re: PCI DSS & Firewalls (Brian Loe)
----------------------------------------------------------------------
Message: 1
Date: Sun, 5 Apr 2009 12:22:50 -0400
From: "miedaner" <miedaner@twcny.rr.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: "Firewall Wizards Security Mailing List"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <DLEJKHFJGLFILMOIIBLPGEOECKAA.miedaner@twcny.rr.com>
Content-Type: text/plain; charset="iso-8859-1"
Interesting thread.
The reality is that companies have not followed best practices in terms of
network and internet services.
Over and over in my 17 years in security people whining for the next unsafe
app, protocol, etc have won out over sound security.
Not to mention poor design practices that put ring 0 devices on the edge
rather than in a tiered design.
How many companies have the payroll and money transfer machines located so
any user can touch them, both physically and logically.
How many bandaids has the so called security industry come up with to
compensate for poor practices. E.G. The clueless demand a PIX so we need an
IDS and whatever other protocol aware device.
Good design and having the balz to say no goes a long way in keeping
environment simple and secure.
As far as testing, some is needed but the ill informed would assume that a
successful PT means you are OK. Not to mention 9 times out of 10 the
testers exploit low hanging fruit - lets be real here we are dealing with
the soft chewy core of M$. Add distributed offices and physical security
weakneses into the mix and successful attacks, for the determined, becomes a
cake walk.
Also as far as PCI standards and all other regulations is, I believe, the
anount of interpretation that is allowed. Try defining scope under PCI,
very ambiguous.
Tony Miedaner
eroc emit eno
-----Original Message-----
From: firewall-wizards-bounces@listserv.icsalabs.com
[mailto:firewall-wizards-bounces@listserv.icsalabs.com]On Behalf Of
Brian Loe
Sent: Sunday, April 05, 2009 1:50 AM
To: Firewall Wizards Security Mailing List
Subject: Re: [fw-wiz] PCI DSS & Firewalls
On Fri, Apr 3, 2009 at 3:36 PM, Paul Melson <pmelson@gmail.com> wrote:
> At the end of the day, offensive security (scanning, pen-testing,
auditing,
> etc.) is testing. ?And some testing is ALWAYS better than no testing.
?Show
> me a company that doesn't require testing before moving a system into
> production and I'll show you a company that can afford lots of downtime.
And I'll show you every company I've ever worked for - including the
one that's handling your prescriptions and likely the one handling
your 401k.
Then again, I guess it depends on what you call testing. If it means
"it turns on, given expected input it returns expected output" then
never mind - you're "safe". Otherwise you're living as big of a make
believe world as Marcus. And as everyone knows I'm quite the realist!
Then again I'm also the manager who, while trying to get an updated
security program approved by the "IT Steering Committee", removed the
part about certification and accreditation for new systems because,
frankly, if you're our size it's stupid and overly costly. What I
would VERY MUCH LIKE is a "checklist" like the first set of
instructions I got for (well, it's late and I can't remember the
acronym - and it's since been changed anyway - DoD crap)....
I prefer a standard tell me EXACTLY what it want as a minimum and then
my midldle management idiot self can busy myself doing BETTER than
that standard...
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Mon, 6 Apr 2009 08:37:18 -0400
From: "Mark" <firewalladmin@bellsouth.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: "'Firewall Wizards Security Mailing List'"
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <000001c9b6b4$6d0432d0$2003a8c0@357magnum>
Content-Type: text/plain; charset="us-ascii"
Brian Loe wrote:
" What I would VERY MUCH LIKE is a "checklist" like the first set of
instructions I got for (well, it's late and I can't remember the
acronym - and it's since been changed anyway - DoD crap)...."
Oh let me guess! Is it the STIG? Security Technical Implementation Guide? Oh
and now we have the infamous "DISA Gold" which will hit you with a bunch of
CAT 1&2 findings if the system is actually supposed to work. I've also
noticed that between the STIG's, checklists (there are checklists in
addition to the STIG and they are simply called Windows XP Security
Checklist or Desktop Applications Security checklist, etc.) and FDCC there
are conflicting security measures, making it impossible to ever be "fully"
compliant. I will site a simple example that I recall from the top of my
not-yet-balding head (paraphrased, not quoted):
Finding - You have more than one user in the Administrators group on the
computer. For best security, you should only have one user in the
Administrators group on a machine.
Finding - You do not have a backup Administrator account on the machine. For
best security, you should create a second Administrator account on the
computer and keep the password locked in a safe area in case no
Administrators are available, an authorized individual can still perform
administrative functions on the computer.
(Goes back to lurking - Mark)
------------------------------
Message: 3
Date: Mon, 6 Apr 2009 09:25:55 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090406132555.800EFE15C@jimsun.linxnet.com>
Bill McGee <bam@cisco.com> wrote:
>
> Yikes!
>
> Wouldn�t it be nice if we all lived in Marcus� world?
[snip]
It'd be a damn sight nicer than living in the world in which we
currently find ourselves, where, due to vendor irresponsibility and
end-user cluelessness (encouraged by said vendors, IMO), the concept of
"network security" has become a joke.
>
> In the meantime, we really ought to be helping folks move from WHERE THEY
> ARE to WHERE THEY NEED TO BE, ...
[snip]
That's pretty damn funny, considering how "folks" got to where they are
in the first place.
[snip]
> ... we really need to recognize that
> wide-eyed idealism, however well-intentioned, is never a reasonable
> replacement for dealing with the vagaries of the reality we actually
> inhabit.
What Marcus is promoting isn't "wide-eyed idealism," it's reality.
That reality being there's no such thing as "kind of secure." It's either
secure or it's not. You, and those who believe, or purport to
believe, as you do are promoting "good enough." Well, half-way
measures are *not* "good enough," *never* have been "good enough" and
never *will* be "good enough."
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
------------------------------
Message: 4
Date: Mon, 6 Apr 2009 09:34:10 -0500
From: Brian Loe <knobdy@gmail.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID:
<3c4611bc0904060734j4040b9f8p6e5a5e2ec019d785@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
On Mon, Apr 6, 2009 at 7:37 AM, Mark <firewalladmin@bellsouth.net> wrote:
> Brian Loe wrote:
> " What I would VERY MUCH LIKE is a "checklist" like the first set of
> instructions I got for (well, it's late and I can't remember the
> acronym - and it's since been changed anyway - DoD crap)...."
>
> Oh let me guess! Is it the STIG? Security Technical Implementation Guide? Oh
> and now we have the infamous "DISA Gold" which will hit you with a bunch of
> CAT 1&2 findings if the system is actually supposed to work. I've also
> noticed that between the STIG's, checklists (there are checklists in
> addition to the STIG and they are simply called Windows XP Security
> Checklist or Desktop Applications Security checklist, etc.) and FDCC there
> are conflicting security measures, making it impossible to ever be "fully"
> compliant. I will site a simple example that I recall from the top of my
> not-yet-balding head (paraphrased, not quoted):
>
I never made it through an audit with those criteria so I don't know
how it would go. But I like that the "standard" I'm supposed to adhere
to is specific and comes with its own checklist. I can either do it or
know that I need to write an exception.
The example finding you quoted would have made for entertaining
exceptions, no doubt.
I'm currently going through my second internal/external SOX audit. I
find them equally useless so far as real security goes but you do have
the benefit of the good cop/bad cop thing where they can at least
advise you on where you need to bring your game up.
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 11
************************************************
No comments:
Post a Comment