doesn't it also mandate the encryption of CC info? requirement 4 Encrypting and Storing Credit Card Data
plenty of reports that the data was not encrypted, and also plenty that say it was. On Tue, May 10, 2011 at 4:40 PM, Tracy Reed <[email protected]> wrote: > On Tue, May 10, 2011 at 05:07:39AM +0000, Dobbins, Roland spake thusly: > > Stateful firewalls have no place in front of servers, where every > incoming > > request is unsolicited, and therefore there is no state to inspect in the > > first place. > > The PCI SSC requires a stateful firewall in front of servers processing > credit > card data. Not only to block inbound access to any ports or services > accidentally exposed but the outbound policy must also be default deny to > make > it more difficult to exfiltrate stolen data. If you have traffic going out > to a > high numbered port and you are not keeping state how do you know if that is > a > reply packet to an existing inbound connection or if it is an unauthorized > outbound connection? > > Of course, the network should be properly segmented so that only the > servers > processing payment data are in-scope. You may be right about not putting a > stateful firewall in front of the gaming servers (in Sony's case). > > > Where stateful firewalls in front of Web servers are incorrectly mandated > by > > various regulatory frameworks, making use of mod_security or its > equivalent > > on the Web servers themselves ensures compliance without creating a DDoS > > chokepoint. > > If you don't have a stateful firewall blocking outbound connections why > would > the traffic even have to go through mod_security? > > -- > Tracy Reed > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
