Re: PCI v6.1 compliant Application Firewalls - Got any ideas

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MMichael Butash at <-
M 
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas
1. Web *Application* Security Tips - *PCI Compliance*
Guide<http://www.google.com/url?sa=t&source=web&cd=1&ved=0CE0QFjAA&url=http%3A%2F%2Fwww.pcicomplianceguide.org%2Fsecurity-tips-20081030-web-application-security.php&rct=j&q=PCI%20v6.1%20compliant%20Application%20Firewall&ei=DHmPToCJConhsQLq_p3IAQ&usg=AFQjCNFQuQ63kEHOKHBhHvyhXBmUPOopRA&cad=rja>
www.*pcicompliance*guide.org/security-tips-20081030-web-*applicatio*...
Sep 30, 2008 – Click here for a free *PCI* scan from ControlScan · What
is *PCI Compliance* *...* Web *application firewalls* are very different
from the standard *...*
2. *PCI* DSS *compliance*: Web *application firewall* or code
review?<http://searchsoftwarequality.techtarget.com/news/1313797/PCI-DSS-compliance-Web-application-firewall-or-code-review>
searchsoftwarequality.techtarget.com/.../*PCI*-DSS-*compliance*-Web-...
If you need to comply with the application security regulation of the *
PCI* Data Security Standard, should you opt for code reviews or a
Web *application
firewall*? *...* "If they're going for a *compliance* 'checkmark,' they
will have *one* big task every *...*
3. *PCI compliance*: Web *application firewall* vs. code
review<http://searchsecuritychannel.techtarget.com/tip/PCI-compliance-Web-application-firewall-vs-code-review>
searchsecuritychannel.techtarget.com/.../*PCI*-*compliance*-Web-*applic*
...
Help businesses become *PCI*-*compliant*: Learn how to choose between a
Web *...*


I am unsure that there IS a PCI Compliant firewall application other than an
IDS (Snort) well tuned.

Basically, you need a layer 7 firewall, and if you are using SSL (as
required by the compliance model) you will not be able to inspect those
packets?

There are network switches and firewall appliances that can do this,
Netscreen and Cisco, but to avoid a PCI complaince code review quarterly, a
firewall will not provide that.

Reading through the compliance docs, you will the following:

1) End to end encryption.
2) Isolated logins with password rotation.
3) Logging for up to a year.
4) Encypted data for PCI complaint storage.

Of course the only thing that you protect on the firewall is the same as
what iptables protects.

There are some good examples that will give you a nice snort, ulogd, cacti,
and mrtg type iptables/ebtables appliance:

http://www.clearfoundation.com/ ClearOS

http://www.endian.com/en/community/ Endian

Not sure what exactly you need for bridging. But both of these also provide
OpenVPN, so you can turn off port 22 for ssh.

But note, they use dnsmasq, so if you are trying to run a dns server on port
53, that is forwarded to dnsmasq (as a security measure).

I have setup both of these ISO's.

I personally built my own appliance using grsecurity, ulogd, snort, etc.

On Fri, Oct 7, 2011 at 10:39 AM, Michael Butash <> wrote:

> Look up DLP, or Data Loss Prevention. I think this is more what you're
> looking for.
>
> There's OpenDLP with a quick google search, but not sure what level of
> maturity or function you'll get vs. commercial. Commercial products
> I've seen used in enterprises about are Imperva, Cisco ACE XML, IBM
> DataThread, F5, or Bluecoat solutions. I've only dealt with them from a
> network perspective, so can't speak for application function - leave
> that for the layer7/8 guys to figure out.
>
> I don't think there's enough small/mid range companies that care about
> DLP appliance function to roll their own, as it's usually pretty
> enterprise-centric how they use the info, and how they intend to protect
> it. Most of the aforementioned vendors are of course very proud of the
> functions too, charging accordingly, taxing big enterprises that grow to
> the point they need it for audit purposes and will throw money at a
> problem.
>
> Honestly, I'm seeing most larger companies now moving toward using
> external payment vendors to avoid dealing with the PCI concerns, audits,
> and ultimate liability. PII data (personally identifiable information)
> is still a concern, but more internally governed than externally audited
> to slide by under "don't do something stupid with data" practices.
>
> -mb
>
>
> > -------- Original Message --------
> > Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas
> > From: Shawn Badger <>
> > Date: Fri, October 07, 2011 7:38 am
> > To: Main PLUG discussion list <>
> >
> >
> > IPCop wont work for what he needs. IPCop is a layer3 firewall, he is
> > looking for one that does stuff like examine the sql query before it
> > hits the database.
> >
> >
> > Unfortunately, I can't help on this much more than that. I left the
> > company where I needed to be concerned about PCI before they required
> > application firewalls. I think the F5's do it very well, but they
> > aren't open source although they do run on Linux and you can actually
> > get a shell and have scripts on the appliances.
> >
> >
> >
> > On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert <> wrote:
> > > On 10/06/2011 04:55 PM, AZ RUNE wrote:
> > >>
> > >> Looking for an Open Source option for a "PCI v6.1 compliant
> Application
> > >> Firewall"
> > >>
> > >> I was thinking of Untangle 7.2 but don't know about the PCI compliant
> > >> options if they meet them.
> > >>
> > >> Anyone dealing with this, use anything related?
> > >>
> > >> Poke Poke :-)
> > >>
> > >> --
> > >> Brian Fields
> > >> <mailto:arizona.rune@gmail.com>
> > >>
> > >
> > > Untangle is nice and gui, but it's a pig resource wise.
> > >
> > > IPCop recently released v2.0, and feedback has been good. I don't know
> it
> > > stacks up to PCI compliance, but would be interested to know.
> > >
> > > --
> > > -Eric 'shubes'
> > >
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list -
> > > To subscribe, unsubscribe, or to change your mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> > >
> > ---------------------------------------------------
> > PLUG-discuss mailing list -
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



--
(602) 791-8002 Android
(623) 239-3392 Skype
(623) 688-3392 Google Voice
**
HomeSmartInternational.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-wirless access pointHackFest Tomorrow 10/08/2011 @ Makerbench in Tempe 3PM - 6PM DefCon/Blackhat Video Presentation and Discussion->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)