Firewall Wizards mailing list archives
Re: PCI DSS & Firewalls
From: Victor Williams <bwilliam13 () windstream net>
Date: Thu, 02 Apr 2009 07:25:52 -0500
Amen.Working for a .com e-commerce company, it is the most frustrating thing dealing with this standard. There is some specifics on some sections, and a lot of vagueness in others...the application firewall requirement being the one that ticks me off the most.
If you are reading PCI DSS 1.1, then yeah, "stateful inspection" was the answer. If you're reading PCI DSS 1.2, "application firewall" is the answer. But, they don't define what the "application firewall" is supposed to do and what it's supposed to block/stop/log. I have demo'ed no less than 8 "application firewalls" in the last year, with only two of them actually logging/blocking anything bad. Additionally, there are "application firewalls" out there that do nothing more than match IDS signatures and block them.
PCI DSS is pretty sad. They could have taken another already-established standard with some brains behind it and adopted it instead...just said, you must follow "OrgA" standards for system hardening and auditing and whatnot...called it a day.
Paul D. Robertson wrote:
Is it just me, or do the PCI DSS "standards" for firewalls look like someone played "I have a CISSP" buzzword bingo?Do the PCI folks _really_ think "stateful inspection" is the answer, and isn't that a Checkpoint trademark anyway?Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." Moderator: Firewall-Wizards mailing list Art: http://PaulDRobertson.imagekind.com/ _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- PCI DSS & Firewalls Paul D. Robertson (Apr 01)
- Re: PCI DSS & Firewalls Kurt Buff (Apr 01)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Victor Williams (Apr 02)
- Re: PCI DSS & Firewalls Frank Knobbe (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls david (Apr 02)
- Re: PCI DSS & Firewalls Marcus J. Ranum (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Jim Seymour (Apr 02)
- Re: PCI DSS & Firewalls Chris Blask (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)
- Re: PCI DSS & Firewalls Paul D. Robertson (Apr 02)