PCI v6.1 compliant Application Firewalls - Got any ideas

Michael Butash michael at butash.net
Fri Oct 7 10:39:46 MST 2011 

Look up DLP, or Data Loss Prevention.  I think this is more what you're
looking for.

There's OpenDLP with a quick google search, but not sure what level of
maturity or function you'll get vs. commercial.  Commercial products
I've seen used in enterprises about are Imperva, Cisco ACE XML, IBM
DataThread, F5, or Bluecoat solutions.  I've only dealt with them from a
network perspective, so can't speak for application function - leave
that for the layer7/8 guys to figure out.

I don't think there's enough small/mid range companies that care about
DLP appliance function to roll their own, as it's usually pretty
enterprise-centric how they use the info, and how they intend to protect
it.  Most of the aforementioned vendors are of course very proud of the
functions too, charging accordingly, taxing big enterprises that grow to
the point they need it for audit purposes and will throw money at a
problem.

Honestly, I'm seeing most larger companies now moving toward using
external payment vendors to avoid dealing with the PCI concerns, audits,
and ultimate liability.  PII data (personally identifiable information)
is still a concern, but more internally governed than externally audited
to slide by under "don't do something stupid with data" practices.

-mb


> -------- Original Message --------
> Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas
> From: Shawn Badger <shawn at badger.pro>
> Date: Fri, October 07, 2011 7:38 am
> To: Main PLUG discussion list <plug-discuss at lists.plug.phoenix.az.us>
> 
> 
> IPCop wont work for what he needs. IPCop is a layer3 firewall, he is
> looking for one that does stuff like examine the sql query before it
> hits the database.
> 
> 
> Unfortunately, I can't help on this much more than that. I left the
> company where I needed to be concerned about PCI before they required
> application firewalls. I think the F5's do it very well, but they
> aren't open source although they do run on Linux and you can actually
> get a shell and have scripts on the appliances.
> 
> 
> 
> On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert <ejs at shubes.net> wrote:
> > On 10/06/2011 04:55 PM, AZ RUNE wrote:
> >>
> >> Looking for an Open Source option for a "PCI v6.1 compliant Application
> >> Firewall"
> >>
> >> I was thinking of Untangle 7.2 but don't know about the PCI compliant
> >> options if they meet them.
> >>
> >> Anyone dealing with this, use anything related?
> >>
> >> Poke Poke :-)
> >>
> >> --
> >> Brian Fields
> >> arizona.rune at gmail.com <mailto:arizona.rune at gmail.com>
> >>
> >
> > Untangle is nice and gui, but it's a pig resource wise.
> >
> > IPCop recently released v2.0, and feedback has been good. I don't know it
> > stacks up to PCI compliance, but would be interested to know.
> >
> > --
> > -Eric 'shubes'
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change your mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list