Re: [Full-disclosure] Sony: No firewall and no patches

["Dobbins, Roland" <rdobbins@xxxxxxxxx>]

On May 10, 2011, at 1:40 PM, Tracy Reed wrote:

> If you have traffic going out to a high numbered port and you are not keeping 
> state how do you know if that is a
> reply packet to an existing inbound connection or if it is an unauthorized 
> outbound connection?


You use stateless ACLs to filter outbound traffic as well, only allowing 
traffic originating from required well-known ports to ephemeral high ports.  
This is a basic network access policy Best Current Practice (BCP).  
'Client-side' traffic originating from the server, such as DNS lookups and so 
forth, should be channeled through a completely different NIC on a completely 
different, isolated segment with proxies and so forth.  And all management 
access should take place via an OOB/DCN management network, on yet another 
NIC/segment.

And mod_security will pass PCI DSS audits just fine.

As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many 
places, and is overly-specific in others.  It should be re-factored to an 
outcomes-based model, IMHO.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins@xxxxxxxxx> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/