The concept of shipping devices in a default state that's secure has still not taken off. Though I'm pretty sure a big retailer could negotiate something with a vendor. =)
Frank -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Stern Sent: Wednesday, June 27, 2007 1:24 PM To: [email protected] Subject: Re: [c-nsp] no mop enabled and PCI implications It's not intuitively obvious, but during a PCI audit it was pointed out that the default mop enabled represents a potential threat vector. I had to specifically remediate this vulnerability by adding no mop enabled to all physical Ethernet interfaces in order to pass the audit. There were other similar vulnerabilities pointed out besides that one. Soapbox: It would be nice if engineering was sensitized to security (PCI) audit requirements and perhaps had a macro (set security PCI?) that would automatically add the proper settings to the config to pass audit requirements. If this were there then the word could be passed back to the audit community and they could then modify their checklists to just require that macro setting be in the config. That would make everybody's lives a lot easier - and provide for more uniform security in the deployments. A win win. Richard _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
