Wednesday, November 25, 2009

firewall-wizards Digest, Vol 43, Issue 6

Send firewall-wizards mailing list submissions to
firewall-wizards@listserv.icsalabs.com

To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com

You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com

When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."


Today's Topics:

1. Using linux firewalls for PCI compliant infrastructure
(Siim P?der)
2. Re: Using linux firewalls for PCI compliant infrastructure
(Paul D. Robertson)
3. Re: Using linux firewalls for PCI compliant infrastructure
(Tracy Reed)
4. Re: Using linux firewalls for PCI compliant infrastructure
(Siim P?der)


----------------------------------------------------------------------

Message: 1
Date: Wed, 25 Nov 2009 00:37:07 +0200
From: Siim P?der <siim@p6drad-teel.net>
Subject: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: firewall-wizards@listserv.icsalabs.com
Message-ID: <4B0C6013.8010706@p6drad-teel.net>
Content-Type: text/plain; charset=us-ascii

Hi

We are using linux-based servers as firewalls for PCI compliant
infrastructure. During audits it has been OK so far but security
people internally have suggested that maybe a commercial product would
be better suited for PCI infrastructure (as it is pretty critical).

I'm personally very happy with the iptables firewalls - we can use all
the standard components for firewalls that we use for everything else
(including standard administration methods, patching and so forth).

What do you think, would a commercial firewall provide a tangible
improvement in security?
Is anyone else using linux-based firewalls for PCI (or otherwise
sensitive) infrastructure?

Thanks,
Siim


------------------------------

Message: 2
Date: Tue, 24 Nov 2009 20:10:17 -0500 (EST)
From: "Paul D. Robertson" <paul@compuwar.net>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <Pine.LNX.4.44.0911242002350.10601-100000@bat.clueby4.org>
Content-Type: TEXT/PLAIN; charset=ISO-8859-1

On Wed, 25 Nov 2009, Siim P?der wrote:

> Hi
>
> We are using linux-based servers as firewalls for PCI compliant
> infrastructure. During audits it has been OK so far but security
> people internally have suggested that maybe a commercial product would
> be better suited for PCI infrastructure (as it is pretty critical).

Have them articulate *why* they think it would be better-suited in terms
of the DSS standard. Have them articulate what security features they
think are missing in your current infrastructure, then you can make an
informed analysis of how to implement those features (be it with Linux or
what have you.) The term "commercial firewall" still probably encompasses
over a hundred devices from I dunno- more than fifty vendors- so how
anyone who's got any clue about security can make that an argument without
detail is beyond me. If they're just looking to spend money, I'd be happy
to do a security review! ;)

> What do you think, would a commercial firewall provide a tangible
> improvement in security?

The security policy instituted by the firewall is the biggest thing that
impacts security. Second is the layers you're doing security at, but then
you have to do apples-to-apples comparisons, and fewer and fewer products
are doing high-level filtering that's meaningful these days. Finally,
many commercial firewalls are fancy VPN management interfaces and GUIs
over Linux systems. But first of all, you need to decide what your policy
is, what protections it provides and what your largest threats are, then
you need to apply that to the PCI-DSS standard and see where you're at.
Every time I do it, I find that I'm much better off spending time on OSSEC
on my PCI-compliant hosts than firewall rules.

> Is anyone else using linux-based firewalls for PCI (or otherwise > sensitive)
> infrastructure?
>

Yes, lots of people are.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
paul@compuwar.net which may have no basis whatsoever in fact."
Moderator: Firewall-Wizards mailing list
Art: http://PaulDRobertson.imagekind.com/

------------------------------

Message: 3
Date: Tue, 24 Nov 2009 16:03:40 -0800
From: Tracy Reed <treed@ultraviolet.org>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <20091125000340.GH3222@tracyreed.org>
Content-Type: text/plain; charset="iso-8859-1"

On Wed, Nov 25, 2009 at 12:37:07AM +0200, Siim P?der spake thusly:
> Is anyone else using linux-based firewalls for PCI (or otherwise
> sensitive) infrastructure?

I am. For PCI. No problem. Did the people who suggested something
commercial provide any good quantifiable reasons or was it simply
cargo-cult network security?

--
Tracy Reed
http://tracyreed.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <https://listserv.icsalabs.com/pipermail/firewall-wizards/attachments/20091124/aa3ad1ac/attachment-0001.pgp>

------------------------------

Message: 4
Date: Wed, 25 Nov 2009 09:39:01 +0200
From: Siim P?der <siim@p6drad-teel.net>
Subject: Re: [fw-wiz] Using linux firewalls for PCI compliant
infrastructure
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.icsalabs.com>
Message-ID: <4B0CDF15.7080409@p6drad-teel.net>
Content-Type: text/plain; charset=us-ascii

Hi

Tracy Reed wrote:
> I am. For PCI. No problem. Did the people who suggested something
> commercial provide any good quantifiable reasons or was it simply
> cargo-cult network security?

IMO, mostly the latter (the cargo cult one):
1) Commercial vendors are sometimes certified to be secure
2) Lot's of people are using commercial firewalls for critical
infrastructure and hence they are better tested
3) Commercial vendor can be pushed to produce patches for problems

We currently have iptables on central firewalls and mod_security doing
application level filtering on webservers themselves. It was suggested
that a firewall doing SSL termination and content inspection would be
better because it would have better application-level rulesets
(namely, protection from common DOS bots was mentioned).

Generally, I dont think they make a very good case. However, I
promised to ask if there are any other shops using open source
firewalls out there. Maybe they are just worried to be on the boat
alone :)

Thanks for your comments!

Siim


------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards


End of firewall-wizards Digest, Vol 43, Issue 6
***********************************************

No comments:

Post a Comment