firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: PCI DSS & Firewalls (Chris Blask)
2. Re: PCI DSS & Firewalls (R. DuFresne)
3. Re: PCI DSS & Firewalls (Frank Knobbe)
4. Re: PCI DSS & Firewalls (Frank Knobbe)
5. Re: PCI DSS & Firewalls (Paul D. Robertson)
6. Re: PCI DSS & Firewalls (Jim Seymour)
7. Re: PCI DSS & Firewalls (Paul D. Robertson)
8. Re: PCI DSS & Firewalls (Marcus J. Ranum)
----------------------------------------------------------------------
Message: 1
Date: Thu, 2 Apr 2009 09:19:14 -0700 (PDT)
From: Chris Blask <chris@blask.org>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <812194.37496.qm@web33807.mail.mud.yahoo.com>
Content-Type: text/plain; charset=us-ascii
> From: Paul D. Robertson <paul@compuwar.net> Thursday, April 2, 2009 10:31:37 AM
>> On Thu, 2 Apr 2009, Chris Blask wrote:
>> One of our folks did PCI for Walmart, and when the CEO sent out a note
>> saying (sic): "Listen to this guy or you're fired" it proved that PCI
>> worked. It reduced the prospect of spending in the future the millions
>> of man-hours we have spent in the past arguing with people that maybe
>> they should at least consider changing default passwords.
> But the buy in is to check the boxes so they don't get fined- and the
> boxes are checkable by interpretation. Outside of a few basic
> requirements, things are vague, ambiguous and not helpful at all- frankly,
> it's the worst "standard" I've seen in ~25 years of computer security- and
> I've rarely seen good ones.
The most enlightening fact about PCI is that most Tier One organizations - who should have had the assets and motivation to know and do better all along - haven't even been able to interpret what they are doing to match those check boxes prior to being forced to comply with PCI. So, obviously, every standard before PCI - no matter whether better or worse by technical measures - has been ineffective.
Look, I'm not defending the DSS itself. When I first read it I went back and read it again, just to be sure I didn't skim over an actual piece of serious substance in there somewhere. It is - at best - the morning of a one-day Network Security For Idiots class (maybe the first hour) and the folks writing it are a thousand times more interested in not doing anything that could lead to them being sued than they are about creating actual security. But we need to set baseline standards in industry as a whole somehow and whatever we can get people to reliably follow is a better start than a more laudable standard that is ignored.
> I also agree with Marcus that it's the Pen Tester's Employment Security
> Act..
Oh, it is. And even there, having more Pen Testing done in the world is itself a move in a positive direction, so that's a good thing by any metric.
-chris
------------------------------
Message: 2
Date: Thu, 2 Apr 2009 13:30:29 -0400 (EDT)
From: "R. DuFresne" <dufresne@sysinfo.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: "Marcus J. Ranum" <mjr@ranum.com>
Cc: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <Pine.LNX.4.64.0904021329260.19472@darkstar.sysinfo.com>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Thu, 2 Apr 2009, Marcus J. Ranum wrote:
> Which shows that, in general, almost nobody still gets the point.
>
Anyone follwoing the pen-test list knows that is a fact....
Thanks,
Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFJ1PY4st+vzJSwZikRApN4AKDf4cIgoMKUPemXkYkkXfd/azlBVgCfZpAd
kel3sBxKWVfKDcHqyHLe/lo=
=vCW2
-----END PGP SIGNATURE-----
------------------------------
Message: 3
Date: Thu, 02 Apr 2009 11:54:20 -0500
From: Frank Knobbe <frank@knobbe.us>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: bwilliam13@windstream.net, Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1238691260.57207.54.camel@localhost>
Content-Type: text/plain; charset="us-ascii"
On Thu, 2009-04-02 at 07:25 -0500, Victor Williams wrote:
> PCI DSS is pretty sad. They could have taken another
> already-established standard with some brains behind it and adopted it
> instead...just said, you must follow "OrgA" standards for system
> hardening and auditing and whatnot...called it a day.
While I'm a PCI QSA, I don't mean to step up on the pedestal and defend
the PCI Standard. There is room for improvement, which is an ongoing
process. I just wanted to say that this is not an "industry standard" in
terms of laying out specific details that can be followed to the letter
to be compliant. It's also not a checkbox-type checklist to magically
make you compliant (or secure). Rather, it is a guide to help QSAs
assess the security of entities having to be PCI compliant. It provides
a minimal baseline in my opinion, and assessors should always strive to
use common sense while reviewing networks and systems, and apply best
practices in order to achieve maximum security.
Just because there is a checkbox for "application level" firewall, or
"server separation" it doesn't mean you have to to follow it. First, you
have to look at what is required in context. Would you run your database
server on the same box as the Internet facing web server? Probably not.
Separation there makes sense. Does it mean you need to have a different
server for your AD/DNS/Print services? No, not necessarily. (Heck and
one can even argue web and database on the same box.... if they are
virtualized with strong access control between them).
Second, there are mitigating controls. If you don't have an application
layer web firewall, but have IDS and a reverse proxy (just an example),
you may be okay. It really all depends on the environment at hand.
When I assess networks for PCI, I first set the "standard" aside and
check what Frank would do. Then I check if everything is in fact
compliant with the PCI "standard", again taking into account mitigating
controls.
The standard is not the leading instrument here, it's the experience and
common sense of the assessors. The PCI doc merely serves as a checklist
to demonstrate to the PCI council that requirements have been fulfilled.
Either verbatim, or in any other shape or form that still fulfills the
desired goal.
Two items most folks struggle with: Scoping and mitigating controls.
Take these into account, and your checklist standard already does not
apply to everyone the same way. Proper scoping can make becoming
compliant much less painful. (Sadly, there are folks who perform PCI
audit in the best interest of themselves, and not in the best interest
of their client)
If you have to be compliant and look at the PCI requirements document,
and say "this is sad" or "that is not defined", talk to a decent QSA. He
can help make this a less confusing and painful experience.
Cheers,
Frank
PS: No, I'm not a PCI pimp. When I first saw the standard several years
back, and assisted (as technical lead) in gap assessments, I thought the
PCI standard is crap. It took me a bit to realize what it really means
and how it works. It's actually quite usable.
If you are serious about improving the process and the "standard", I'm
sure the PCI council would be happy to hear your suggestions.
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090402/7c5b2050/attachment-0001.pgp>
------------------------------
Message: 4
Date: Thu, 02 Apr 2009 12:06:17 -0500
From: Frank Knobbe <frank@knobbe.us>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <1238691977.57207.65.camel@localhost>
Content-Type: text/plain; charset="us-ascii"
On Thu, 2009-04-02 at 09:31 -0500, Paul D. Robertson wrote:
> But they fail at that level in so fars as they don't help small and
> mid-sized companies know what they really need to do- does a small compay
> with 5 servers *really* need to seperate every single function onto its
> own system?
*They* is not the PCI council. *They* is the Qualified Security
Assessors. It's to them to help companies to become PCI compliant. They
use the checklist, and they report back about compliance status. If your
QSA doesn't help small and mid-sized companies know what they really
need to, then the QSA is at fault. In that case, provide feedback to the
PCI council. They love to hear about the performance of QSA. Crappy ones
can loose their certification quickly :)
> But the buy in is to check the boxes so they don't get fined- and the
> boxes are checkable by interpretation. Outside of a few basic
> requirements, things are vague, ambiguous and not helpful at all- frankly,
> it's the worst "standard" I've seen in ~25 years of computer security- and
> I've rarely seen good ones.
I disagree. I'm happy that it's "vague or ambiguous" as you call it.
That allows me as a QSA to properly secure the client. I wouldn't want
to be forced to implement a crappy checklist to the letter. Every
company is unique (you might call it ambiguous), so implementing
security controls requires flexibility.
> I also agree with Marcus that it's the Pen Tester's Employment Security
> Act..
Wouldn't you want to test your security controls periodically?
Cheers,
Frank
--
It is said that the Internet is a public utility. As such, it is best
compared to a sewer. A big, fat pipe with a bunch of crap sloshing
against your ports.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20090402/0f037d8b/attachment-0001.pgp>
------------------------------
Message: 5
Date: Thu, 2 Apr 2009 12:41:04 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021236200.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Thu, 2 Apr 2009, Chris Blask wrote:
> piece of serious substance in there somewhere. It is - at best - the
> morning of a one-day Network Security For Idiots class (maybe the first
> hour) and the folks writing it are a thousand times more interested in
> not doing anything that could lead to them being sued than they are
> about creating actual security. But we need to set baseline standards
That's the point- if it were more well-written and had depth, it would be
more than the "Don't get sued" checklist, it'd be a move forward to
achieving security, and the point is supposed to be about DLP for CC info,
not not getting sued, so it's already lost at some level. Great synopsis
though!
> in industry as a whole somehow and whatever we can get people to
> reliably follow is a better start than a more laudable standard that is
> ignored.
Contractually, it can't be ignored without great peril, so that's a bad
excuse for them not doing better.
>
> > I also agree with Marcus that it's the Pen Tester's Employment Security
> > Act..
>
>
> Oh, it is. And even there, having more Pen Testing done in the world is
> itself a move in a positive direction, so that's a good thing by any
> metric.
If you're a pen tester. I can set up a gazillion systems with holes that
a pen test won't ever find- pen testing as a stipulated requirement is
silly- there are lots of ways to ensure your security that actually work,
pen testing at best should be an option in conjunction with stronger
methods like configuration auditing of security devices.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 6
Date: Thu, 2 Apr 2009 14:05:59 -0400 (EDT)
From: jseymour@linxnet.com (Jim Seymour)
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <20090402180559.78069E129@jimsun.linxnet.com>
"Paul D. Robertson" <paul@compuwar.net> wrote:
>
> On Thu, 2 Apr 2009, Chris Blask wrote:
>
[snip]
> >
> > Oh, it is. And even there, having more Pen Testing done in the world is
> > itself a move in a positive direction, so that's a good thing by any
> > metric.
>
> If you're a pen tester. I can set up a gazillion systems with holes that
> a pen test won't ever find- pen testing as a stipulated requirement is
> silly- there are lots of ways to ensure your security that actually work,
> pen testing at best should be an option in conjunction with stronger
> methods like configuration auditing of security devices.
I am reminded of Back In The Day when I was learning how to design
software systems and write code. One theme was consistent across all
that I read: You're further ahead, by far, by starting with good design
and proper coding techniques than ever you'll get by endless hours of
testing and debugging.
Regards,
Jim
--
Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <http://jimsun.linxnet.com/contact/scform.php>.
------------------------------
Message: 7
Date: Thu, 2 Apr 2009 13:16:05 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0904021314130.4989-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=US-ASCII
> I just wanted to say that this is not an "industry standard" in
> terms of laying out specific details that can be followed to the letter
> to be compliant. It's also not a checkbox-type checklist to magically
> make you compliant (or secure). Rather, it is a guide to help QSAs
> assess the security of entities having to be PCI compliant. It provides
> a minimal baseline in my opinion, and assessors should always strive to
> use common sense while reviewing networks and systems, and apply best
> practices in order to achieve maximum security.
Maximum security comes from product selection, trained staff and regular
audits, not from blind scans, blind pen-tests and third party analysts who
don't have real-world experience. I get what you're saying, I'm just
saying that the Kool-Aid isn't all that good here. It's done a further
disservice by not having clear, operable and well-written standards that
the operational people can use to evaluate and understand what practices
they need to comply with and how. The QSAs are all making money- because
they're all mandated, but frankly the fact that we've seen three of them
go on probation recently is a sign that the underlying fundamentals here
aren't strong.
I find it highly ironic that the only technical training mandated is in
Incident Response- isn't the message there "don't worry about learning
about security, just learn how to clean up the mess?"
> The standard is not the leading instrument here, it's the experience and
> common sense of the assessors. The PCI doc merely serves as a checklist
> to demonstrate to the PCI council that requirements have been fulfilled.
> Either verbatim, or in any other shape or form that still fulfills the
> desired goal.
The banks, CEOs and IT workers I've all talked to see it as a checklist to
compliance, or more importantly a checklist to not getting sued. Avoiding
the stick is the goal- and those who actually want the carrot look at the
standard and say "This doesn't help me." That's bad, because the people
most likely to know what's wrong in an environment are those who're most
familiar with it. The desired goal is not getting sued...
Also, we all know that businesses like efficiency and that time costs
money- so are you going to check the box or are you going to write out an
exception and justify it?
> If you have to be compliant and look at the PCI requirements document,
> and say "this is sad" or "that is not defined", talk to a decent QSA. He
> can help make this a less confusing and painful experience.
That doesn't make them any less sad or more defined. This is the best the
multi-billion dollar payment card industry can do?
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/
------------------------------
Message: 8
Date: Thu, 02 Apr 2009 13:17:10 -0500
From: "Marcus J. Ranum" <mjr@ranum.com>
Subject: Re: [fw-wiz] PCI DSS & Firewalls
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <49D50126.5000608@ranum.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Chris Blask wrote:
> having more Pen Testing done in the world is itself a move in a positive direction, so that's a good thing by any metric.
I disagree.
What does pen testing show?? Pen testing can show one of two things:
- your security sucks
- your security is better than your pen tester
Neither of those two determinations are equal to "your security is
good."
Ultimately, any kind of "security proofs" attempt to prove a negative:
i.e: "there are no security holes" and simple logic tells us that you
can't prove a negative.
The reason pen testing is popular - in spite of the fact that it
is a flawed idea - is because "your security sucks" is still a
useful answer for a lot of organizations. I'd go a step further
and suggest that if the answer is "your security sucks" there's
a root cause and it's that "your managers are stupid" or "your
executive management is clueless" or both. Those are not especially
popular results but we both know of infinite numbers of stories of
executives who didn't take security seriously until some pen
test rubbed their nose in it. Pen testing may be a short-term
cure for stupid, but it's a fairly expensive way of doing
it and I doubt that it works particularly well in the long-term.
If we were to ever move security past the "your security sucks"
stage, it would have to result from systems being designed with
security built in from the ground up, rather than bolted on
(or, more likely, as the case is, stuck on with bubble gum
and duct tape) after it's safely too late. Don't worry about
that happening any time soon, though - Web2.0 and cloud
computing are in the process of blowing a gigantic smoking
hole through any notion of trust in computing. How do you
make a statement about assurance and critical data in an
environment where, by design, you aren't to know anything beyond
"it's in our cloud; trust us" ?? I am guessing that the
pen testers are already drooling at the feast to come.
As they used to say, "you can't make a silk purse out of
a sow's ear" - implying that there's no amount of improvement
that you can make to something that just isn't capable of
meeting your expectations. The same applies to pen testing:
it is impossible to badness-test your security into being good.
If you try, all you'll find is that it's expensive. It's
only a coincidence, I'm sure, that the badness-testers are
standing by. There are also duct tape and bubblegum sellers
standing by. Its all coincidence.
So, generally I disagree with you, Chris. I think pen testing
serves as an indicator of stupid more than anything else.
Don't be confused by the fact that the indicator is in the
red zone; it doesn't mean what you think it does.
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 36, Issue 4
***********************************************
No comments:
Post a Comment