On May 10, 2011, at 1:40 PM, Tracy Reed wrote: > If you have traffic going out to a high numbered port and you are not keeping > state how do you know if that is a > reply packet to an existing inbound connection or if it is an unauthorized > outbound connection?
You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. This is a basic network access policy Best Current Practice (BCP). 'Client-side' traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely different NIC on a completely different, isolated segment with proxies and so forth. And all management access should take place via an OOB/DCN management network, on yet another NIC/segment. And mod_security will pass PCI DSS audits just fine. As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others. It should be re-factored to an outcomes-based model, IMHO. ----------------------------------------------------------------------- Roland Dobbins <rdobb...@arbor.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/