RE: Re: Firewalls and PCI

["Honer, Lance" <lhoner () smartgrp com>]

Well, PCI does not mandate or even suggest anything regarding network
segmentation. PCI says anything that could cause a card exposure must be
evaluated for compliance.

It's really up to the company in question to follow this thought process
to completion. When they do they'll realize that if the limit the scope
of things in the environment that could lead to an exposure the fewer
things in the environment that will need to be evaluated for compliance.

So in the context of network segmentation this means separating your
card data related systems from the non-card data related systems and
protecting access into the card data related systems.

Lance


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Josh Haft
Sent: Wednesday, January 16, 2008 5:35 PM
To: evilwon12 () yahoo com
Cc: security-basics () securityfocus com
Subject: Re: Re: Firewalls and PCI

So the question remains... how do PCI regulations directly affect the
segmenting of networks, if at all?



On 16 Jan 2008 19:58:44 -0000,  <evilwon12 () yahoo com> wrote:
> The assumption of items being untrustworthy is good, however it is a
bit overboard to state that a DHCP network is more untrustworthy than
one with purely static IP addresses.
> If a bad guy has physical access to machines on, or access to your PCI
network nothing else matters.  The mission to protect data has failed.
This has nothing to do with DHCP, hard coding addresses to mac addresses
or using 802.1x (although this is much better).  In places that I have
been, people have had to badge into the building, pass a security guard
with a picture badge, and then badge into the door to get into the area
with the PCI network (segmented from other corporate networks).
> Segmenting out the network is a good thing if you are dealing with
PCI, if it is done properly.  The key with it is to properly segment it
while still ensuring business functionality.
>

 
--------------------------------------------------------------------------
SMART Business Advisory and Consulting, LLC and SMART and Associates, LLP have an alternative practice structure. The 
two companies are separate and independent legal entities that work together to meet clients' business needs. SMART 
Business Advisory and Consulting, LLC is not a licensed CPA firm.
 
This message may contain information that is privileged, confidential and exempt from disclosure under applicable law. 
If you are not the intended recipient (or authorized to act on behalf of the intended recipient) of this message, you 
may not disclose, forward, distribute, copy, or use this message or its contents. If you have received this 
communication in error, please notify us immediately by return e-mail and delete the original message from your e-mail 
system.