Security Basics mailing list archives
RE: Re: Firewalls and PCI
From: Scott Williamson <swilliamson () choicepay com>
Date: Fri, 18 Jan 2008 14:42:22 -0600
For our PCI acceptance we had 1 set of physical firewalls protecting our lan from the dmz and wan, but we also moved our systems that were in Scope with PCI into multiple internal networks our auditor dubbed the castles. We placed physical firewalls between our lan and these internal Castle Zones. It was more work up front, however since these servers are separate from our lan we no longer have to worry about things like our Exchange Servers being subject to PCI scrutiny. Hope this helps -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Josh Haft Sent: Friday, January 18, 2008 12:14 PM To: Honer, Lance Cc: security-basics () securityfocus com Subject: Re: Re: Firewalls and PCI On Jan 18, 2008 10:21 AM, Honer, Lance <lhoner () smartgrp com> wrote:
Well, PCI does not mandate or even suggest anything regarding network segmentation. PCI says anything that could cause a card exposure must be evaluated for compliance. It's really up to the company in question to follow this thought process to completion. When they do they'll realize that if the limit the scope of things in the environment that could lead to an exposure the fewer things in the environment that will need to be evaluated for compliance. So in the context of network segmentation this means separating your card data related systems from the non-card data related systems and protecting access into the card data related systems. Lance
The section of PCI I was referring to is 1.1.3 "Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone." So, I have a firewall that separates these networks. However, it's only one physical. The client is requesting that we have our network separated by multiple physical firewalls. I can only assume the aforementioned section of PCI includes both configurations (one or multiple physical firewalls), but I am wondering how others have interpreted this. We'll probably end up adding at least one firewall and putting the LAN and database network behind it, leaving the DMZ behind only one firewall. I'm just curious how others have treated these situations. Thanks everyone for your responses. DISCLAIMER: This e-mail is only intended for the person(s) to whom it is addressed and may contain confidential information. If you have received this e-mail in error, please notify us immediately by reply e-mail and then delete this message from your system. Please do not copy it or use it for any purposes, or disclose its contents to any other person without the consent of the sender. Unless expressly stated herein to the contrary, only agreements in writing, signed by an authorized officer of the Company, may be enforced against it.
Current thread:
- Re: Firewalls and PCI, (continued)
- Re: Firewalls and PCI Jon R. Kibler (Jan 16)
- RE: Firewalls and PCI Craig Wright (Jan 16)
- RE: Firewalls and PCI Timmothy Lester (Jan 16)
- Re: Firewalls and PCI David Glosser (Jan 16)
- RE: Firewalls and PCI Jason Alexander (Jan 16)
- Re: Re: Firewalls and PCI evilwon12 (Jan 16)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- Message not available
- Re: Firewalls and PCI Lyle Worthington (Jan 17)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- RE: Re: Firewalls and PCI Scott Williamson (Jan 18)
- RE: Re: Firewalls and PCI Honer, Lance (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 18)
- Re: Re: Firewalls and PCI Josh Haft (Jan 16)
- RE: Firewalls and PCI Kevin Ortloff (Jan 18)
- RE: RE: Firewalls and PCI Abimbola, Abiola (Jan 17)