SLUG Mailing List Archives
Re: [SLUG] advice on security compliance
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] advice on security compliance
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Mon, 02 Nov 2009 21:59:49 +1100
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
Daniel Bush <dlb.id.au@xxxxxxxxx> writes:
> I was following Rick's recent post about penetration testing with some
> interest. I'm looking at complying with anz e-gate for e-commerce
> transactions. ANZ has this declaration form for internet sites that you
> have to sign. One of the tick boxes says "Do you operate a firewall that is
> regularly updated?"
Oh, gawd. PCI compliance. I /hope/ you get to stay at the lowest level of
compliance, where they mostly never audit, and don't have to deal with any of
the higher bits.
> I have an iptables firewall which basically blocks all ip6 and all ip4
> except for a couple of ports I expose to the internet. I don't see why I
> need to update it "regularly".
Why, because otherwise your system will not be up-to-date to protect you
against the latest exploit for the underlying Windows OS, or to handle the
In seriousness: what they mean, basically, is "do you actually pay attention
to your firewall", and you can ignore the theoretical "regular updates" part
unless an auditor tells you otherwise.
(Which, with luck, they won't, because you will get an auditor who isn't an
idiot in the fairly unlikely event that ANZ or their PCI auditing firm decide
that you do qualify for one. Most auditors are not stupid, in my experience.)
> Do people use any additional application-level filtering on top of iptables
> packet filtering for ssh or http (aside from any security configurations
> that these services already provide) ? (The services I'm exposing through
> iptables are ssh and http. )
> If not, how do you deal with a compliance item that makes dubious sense and,
> if you answered it honestly, makes you look bad when you're not?
Read for meaning, answer to that. The PCI stuff is crazy: it has a bunch of
Windows-like assumptions baked in, because many of their big clients use
> The other thought I had was that it could be they are conflating my
> understanding of a what a "firewall" is with antivirus software.
I wouldn't be entirely shocked; IIRC there was an explicit anti-virus checkbox
in one of the PCI compliance checklists I was given. I addressed it by adding
ClamAV to the Linux server running Apache, Perl and PHP code, where it can
stay updated daily, and scan the disk every now and then.
> If people (staff even) are uploading stuff via http then maybe I need to
> scan such content to prevent my system acting as an agent for spreading
> viral content. But that's heading out of firewall territory.
You would think, eh?
The worst part of the PCI stuff was the implication that the /need/ to ask
these questions, so presumably someone, somewhere *didn't* bother...
✣ Daniel Pittman ✉ daniel@xxxxxxxxxxxx ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.