Security Basics mailing list archives
RE: Re: Firewalls and PCI
From: "Honer, Lance" <lhoner () smartgrp com>
Date: Fri, 18 Jan 2008 11:21:48 -0500
Well, PCI does not mandate or even suggest anything regarding network segmentation. PCI says anything that could cause a card exposure must be evaluated for compliance. It's really up to the company in question to follow this thought process to completion. When they do they'll realize that if the limit the scope of things in the environment that could lead to an exposure the fewer things in the environment that will need to be evaluated for compliance. So in the context of network segmentation this means separating your card data related systems from the non-card data related systems and protecting access into the card data related systems. Lance -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Josh Haft Sent: Wednesday, January 16, 2008 5:35 PM To: evilwon12 () yahoo com Cc: security-basics () securityfocus com Subject: Re: Re: Firewalls and PCI So the question remains... how do PCI regulations directly affect the segmenting of networks, if at all? On 16 Jan 2008 19:58:44 -0000, <evilwon12 () yahoo com> wrote:
The assumption of items being untrustworthy is good, however it is a
bit overboard to state that a DHCP network is more untrustworthy than one with purely static IP addresses.
If a bad guy has physical access to machines on, or access to your PCI
network nothing else matters. The mission to protect data has failed. This has nothing to do with DHCP, hard coding addresses to mac addresses or using 802.1x (although this is much better). In places that I have been, people have had to badge into the building, pass a security guard with a picture badge, and then badge into the door to get into the area with the PCI network (segmented from other corporate networks).
Segmenting out the network is a good thing if you are dealing with
PCI, if it is done properly. The key with it is to properly segment it while still ensuring business functionality.
-------------------------------------------------------------------------- SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The two companies are separate and independent legal entities that work together to meet clients' business needs. SMART Business Advisory and Consulting, LLC is not a licensed CPA firm. This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail system.
Current thread:
- Re: Firewalls and PCI, (continued)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 16)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI Brian Johnson (Jan 16)
- Re: Firewalls and PCI Jon R. Kibler (Jan 15)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- RE: Firewalls and PCI Kevin Ortloff (Jan 18)
- RE: RE: Firewalls and PCI Abimbola, Abiola (Jan 17)