1. Web Application Security Tips - PCI Compliance Guide

    www.pcicomplianceguide.org/security-tips-20081030-web-applicatio...
    Sep 30, 2008 – Click here for a free PCI scan from ControlScan · What is PCI Compliance ... Web application firewalls are very different from the standard ...

  2. PCI DSS compliance: Web application firewall or code review?

    searchsoftwarequality.techtarget.com/.../PCI-DSS-compliance-Web-...
    If you need to comply with the application security regulation of the PCI Data Security Standard, should you opt for code reviews or a Web application firewall? ... "If they're going for a compliance 'checkmark,' they will have one big task every ...

  3. PCI compliance: Web application firewall vs. code review

    searchsecuritychannel.techtarget.com/.../PCI-compliance-Web-applic...
    Help businesses become PCI-compliant: Learn how to choose between a Web ...

I am unsure that there IS a PCI Compliant firewall application other than an IDS (Snort) well tuned. 

Basically, you need a layer 7 firewall, and if you are using SSL (as required by the compliance model) you will not be able to inspect those packets?

There are network switches and firewall appliances that can do this, Netscreen and Cisco, but to avoid a PCI complaince code review quarterly, a firewall will not provide that.

Reading through the compliance docs, you will the following:

1) End to end encryption.
2) Isolated logins with password rotation.
3) Logging for up to a year.
4) Encypted data for PCI complaint storage.

Of course the only thing that you protect on the firewall is the same as what iptables protects.

There are some good examples that will give you a nice snort, ulogd, cacti, and mrtg type iptables/ebtables appliance:

http://www.clearfoundation.com/  ClearOS

http://www.endian.com/en/community/ Endian

Not sure what exactly you need for bridging.  But both of these also provide OpenVPN, so you can turn off port 22 for ssh.

But note, they use dnsmasq, so if you are trying to run a dns server on port 53, that is forwarded to dnsmasq (as a security measure).

I have setup both of these ISO's.

I personally built my own appliance using grsecurity, ulogd, snort, etc. 

On Fri, Oct 7, 2011 at 10:39 AM, Michael Butash <michael@butash.net> wrote:
Look up DLP, or Data Loss Prevention.  I think this is more what you're
looking for.

There's OpenDLP with a quick google search, but not sure what level of
maturity or function you'll get vs. commercial.  Commercial products
I've seen used in enterprises about are Imperva, Cisco ACE XML, IBM
DataThread, F5, or Bluecoat solutions.  I've only dealt with them from a
network perspective, so can't speak for application function - leave
that for the layer7/8 guys to figure out.

I don't think there's enough small/mid range companies that care about
DLP appliance function to roll their own, as it's usually pretty
enterprise-centric how they use the info, and how they intend to protect
it.  Most of the aforementioned vendors are of course very proud of the
functions too, charging accordingly, taxing big enterprises that grow to
the point they need it for audit purposes and will throw money at a
problem.

Honestly, I'm seeing most larger companies now moving toward using
external payment vendors to avoid dealing with the PCI concerns, audits,
and ultimate liability.  PII data (personally identifiable information)
is still a concern, but more internally governed than externally audited
to slide by under "don't do something stupid with data" practices.

-mb


> -------- Original Message --------
> Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas
> From: Shawn Badger <shawn@badger.pro>
> Date: Fri, October 07, 2011 7:38 am
> To: Main PLUG discussion list <plug-discuss@lists.plug.phoenix.az.us>
>
>
> IPCop wont work for what he needs. IPCop is a layer3 firewall, he is
> looking for one that does stuff like examine the sql query before it
> hits the database.
>
>
> Unfortunately, I can't help on this much more than that. I left the
> company where I needed to be concerned about PCI before they required
> application firewalls. I think the F5's do it very well, but they
> aren't open source although they do run on Linux and you can actually
> get a shell and have scripts on the appliances.
>
>
>
> On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert <ejs@shubes.net> wrote:
> > On 10/06/2011 04:55 PM, AZ RUNE wrote:
> >>
> >> Looking for an Open Source option for a "PCI v6.1 compliant Application
> >> Firewall"
> >>
> >> I was thinking of Untangle 7.2 but don't know about the PCI compliant
> >> options if they meet them.
> >>
> >> Anyone dealing with this, use anything related?
> >>
> >> Poke Poke :-)
> >>
> >> --
> >> Brian Fields
> >> arizona.rune@gmail.com <mailto:arizona.rune@gmail.com>
> >>
> >
> > Untangle is nice and gui, but it's a pig resource wise.
> >
> > IPCop recently released v2.0, and feedback has been good. I don't know it
> > stacks up to PCI compliance, but would be interested to know.
> >
> > --
> > -Eric 'shubes'
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss



--
(602) 791-8002  Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com