Re: 3 PCI questions that bother me

[Matt - MRS Security <matt () mrssecurity com>]

Mattias Hemmingsson wrote:
> Hi
>
> PCI question number one
> We had a profence webproxy on a separate  server but the profence did
> something to the traffic so we had to remove it.
> And now to the question PCI says one primare funktion on one server. Can
> you run apache,glassfish and mod_security on the same server ?
>
> Both apache and glassfish handel http request so there i tink im safe.
> But mod_security on the same server as the webbserver ?
> Anyone doing the same thing ?
>
>
> PCI question number two
> If one of my firewalls dies a hve to destroy it so that you cant be able
> to retrieve any data from the firewall.
> But if a destroy it no warranty is valid so how do you solve this ?
>
> PCI question number tre
> We are thing of using our radius server to handle all our logins to the
> server. We are using OTP that are genarated by this small "thing" a have
> with my keys. So of a use this OTP to loggin to every server what do you
> think of this ?
> And is it a problen with the password rules ?
>
>
> // Matte
>
>
>
>   
1) No problems. If concerned query it with your PCI QSA.

2) why are you storing CHD on a firewall? Just blank it, reload firmware 
and start again.

3) No problems with OTP. As long as every user has an account, you do 
not share accounts, you have strong passwords, and the radius server is 
secure and you can prove this.

What does your QSA say?

Btw, this is a recommendation for you to consider!

Thanks.