Re: PCI v6.1 compliant Application Firewalls - Got any ideas
IPCop wont work for what he needs. IPCop is a layer3 firewall, he is looking for one that does stuff like examine the sql query before it hits the database. Unfortunately, I can't help on this much more than that. I left the company where I needed to be concerned about PCI before they required application firewalls. I think the F5's do it very well, but they aren't open source although they do run on Linux and you can actually get a shell and have scripts on the appliances. On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert e...@shubes.net wrote: On 10/06/2011 04:55 PM, AZ RUNE wrote: Looking for an Open Source option for a PCI v6.1 compliant Application Firewall I was thinking of Untangle 7.2 but don't know about the PCI compliant options if they meet them. Anyone dealing with this, use anything related? Poke Poke :-) -- Brian Fields arizona.r...@gmail.com mailto:arizona.r...@gmail.com Untangle is nice and gui, but it's a pig resource wise. IPCop recently released v2.0, and feedback has been good. I don't know it stacks up to PCI compliance, but would be interested to know. -- -Eric 'shubes' --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
RE: PCI v6.1 compliant Application Firewalls - Got any ideas
Look up DLP, or Data Loss Prevention. I think this is more what you're looking for. There's OpenDLP with a quick google search, but not sure what level of maturity or function you'll get vs. commercial. Commercial products I've seen used in enterprises about are Imperva, Cisco ACE XML, IBM DataThread, F5, or Bluecoat solutions. I've only dealt with them from a network perspective, so can't speak for application function - leave that for the layer7/8 guys to figure out. I don't think there's enough small/mid range companies that care about DLP appliance function to roll their own, as it's usually pretty enterprise-centric how they use the info, and how they intend to protect it. Most of the aforementioned vendors are of course very proud of the functions too, charging accordingly, taxing big enterprises that grow to the point they need it for audit purposes and will throw money at a problem. Honestly, I'm seeing most larger companies now moving toward using external payment vendors to avoid dealing with the PCI concerns, audits, and ultimate liability. PII data (personally identifiable information) is still a concern, but more internally governed than externally audited to slide by under don't do something stupid with data practices. -mb Original Message Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas From: Shawn Badger sh...@badger.pro Date: Fri, October 07, 2011 7:38 am To: Main PLUG discussion list plug-discuss@lists.plug.phoenix.az.us IPCop wont work for what he needs. IPCop is a layer3 firewall, he is looking for one that does stuff like examine the sql query before it hits the database. Unfortunately, I can't help on this much more than that. I left the company where I needed to be concerned about PCI before they required application firewalls. I think the F5's do it very well, but they aren't open source although they do run on Linux and you can actually get a shell and have scripts on the appliances. On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert e...@shubes.net wrote: On 10/06/2011 04:55 PM, AZ RUNE wrote: Looking for an Open Source option for a PCI v6.1 compliant Application Firewall I was thinking of Untangle 7.2 but don't know about the PCI compliant options if they meet them. Anyone dealing with this, use anything related? Poke Poke :-) -- Brian Fields arizona.r...@gmail.com mailto:arizona.r...@gmail.com Untangle is nice and gui, but it's a pig resource wise. IPCop recently released v2.0, and feedback has been good. I don't know it stacks up to PCI compliance, but would be interested to know. -- -Eric 'shubes' --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: PCI v6.1 compliant Application Firewalls - Got any ideas
1. Web *Application* Security Tips - *PCI Compliance* Guidehttp://www.google.com/url?sa=tsource=webcd=1ved=0CE0QFjAAurl=http%3A%2F%2Fwww.pcicomplianceguide.org%2Fsecurity-tips-20081030-web-application-security.phprct=jq=PCI%20v6.1%20compliant%20Application%20Firewallei=DHmPToCJConhsQLq_p3IAQusg=AFQjCNFQuQ63kEHOKHBhHvyhXBmUPOopRAcad=rja www.*pcicompliance*guide.org/security-tips-20081030-web-*applicatio*... Sep 30, 2008 – Click here for a free *PCI* scan from ControlScan · What is *PCI Compliance* *...* Web *application firewalls* are very different from the standard *...* 2. *PCI* DSS *compliance*: Web *application firewall* or code review?http://searchsoftwarequality.techtarget.com/news/1313797/PCI-DSS-compliance-Web-application-firewall-or-code-review searchsoftwarequality.techtarget.com/.../*PCI*-DSS-*compliance*-Web-... If you need to comply with the application security regulation of the * PCI* Data Security Standard, should you opt for code reviews or a Web *application firewall*? *...* If they're going for a *compliance* 'checkmark,' they will have *one* big task every *...* 3. *PCI compliance*: Web *application firewall* vs. code reviewhttp://searchsecuritychannel.techtarget.com/tip/PCI-compliance-Web-application-firewall-vs-code-review searchsecuritychannel.techtarget.com/.../*PCI*-*compliance*-Web-*applic* ... Help businesses become *PCI*-*compliant*: Learn how to choose between a Web *...* I am unsure that there IS a PCI Compliant firewall application other than an IDS (Snort) well tuned. Basically, you need a layer 7 firewall, and if you are using SSL (as required by the compliance model) you will not be able to inspect those packets? There are network switches and firewall appliances that can do this, Netscreen and Cisco, but to avoid a PCI complaince code review quarterly, a firewall will not provide that. Reading through the compliance docs, you will the following: 1) End to end encryption. 2) Isolated logins with password rotation. 3) Logging for up to a year. 4) Encypted data for PCI complaint storage. Of course the only thing that you protect on the firewall is the same as what iptables protects. There are some good examples that will give you a nice snort, ulogd, cacti, and mrtg type iptables/ebtables appliance: http://www.clearfoundation.com/ ClearOS http://www.endian.com/en/community/ Endian Not sure what exactly you need for bridging. But both of these also provide OpenVPN, so you can turn off port 22 for ssh. But note, they use dnsmasq, so if you are trying to run a dns server on port 53, that is forwarded to dnsmasq (as a security measure). I have setup both of these ISO's. I personally built my own appliance using grsecurity, ulogd, snort, etc. On Fri, Oct 7, 2011 at 10:39 AM, Michael Butash mich...@butash.net wrote: Look up DLP, or Data Loss Prevention. I think this is more what you're looking for. There's OpenDLP with a quick google search, but not sure what level of maturity or function you'll get vs. commercial. Commercial products I've seen used in enterprises about are Imperva, Cisco ACE XML, IBM DataThread, F5, or Bluecoat solutions. I've only dealt with them from a network perspective, so can't speak for application function - leave that for the layer7/8 guys to figure out. I don't think there's enough small/mid range companies that care about DLP appliance function to roll their own, as it's usually pretty enterprise-centric how they use the info, and how they intend to protect it. Most of the aforementioned vendors are of course very proud of the functions too, charging accordingly, taxing big enterprises that grow to the point they need it for audit purposes and will throw money at a problem. Honestly, I'm seeing most larger companies now moving toward using external payment vendors to avoid dealing with the PCI concerns, audits, and ultimate liability. PII data (personally identifiable information) is still a concern, but more internally governed than externally audited to slide by under don't do something stupid with data practices. -mb Original Message Subject: Re: PCI v6.1 compliant Application Firewalls - Got any ideas From: Shawn Badger sh...@badger.pro Date: Fri, October 07, 2011 7:38 am To: Main PLUG discussion list plug-discuss@lists.plug.phoenix.az.us IPCop wont work for what he needs. IPCop is a layer3 firewall, he is looking for one that does stuff like examine the sql query before it hits the database. Unfortunately, I can't help on this much more than that. I left the company where I needed to be concerned about PCI before they required application firewalls. I think the F5's do it very well, but they aren't open source although they do run on Linux and you can actually get a shell and have scripts on the appliances. On Thu, Oct 6, 2011 at 6:18 PM, Eric Shubert e...@shubes.net wrote: On 10/06/2011
PCI v6.1 compliant Application Firewalls - Got any ideas
Looking for an Open Source option for a PCI v6.1 compliant Application Firewall I was thinking of Untangle 7.2 but don't know about the PCI compliant options if they meet them. Anyone dealing with this, use anything related? Poke Poke :-) -- Brian Fields arizona.r...@gmail.com --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
Re: PCI v6.1 compliant Application Firewalls - Got any ideas
On 10/06/2011 04:55 PM, AZ RUNE wrote: Looking for an Open Source option for a PCI v6.1 compliant Application Firewall I was thinking of Untangle 7.2 but don't know about the PCI compliant options if they meet them. Anyone dealing with this, use anything related? Poke Poke :-) -- Brian Fields arizona.r...@gmail.com mailto:arizona.r...@gmail.com Untangle is nice and gui, but it's a pig resource wise. IPCop recently released v2.0, and feedback has been good. I don't know it stacks up to PCI compliance, but would be interested to know. -- -Eric 'shubes' --- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
