You know there's nothing I like better than sitting down with fresh firewall report and explaining why ANY rules are not your friend as far as PCI compliance is concerned. Below are the top 10 compliance busting rules and why your should tweak them before a QSA comes along:
1. No HTTPS Server Session Timeout
HTTPS server session should expire to prevent the possibility of hijack my a man in the middle attack. Set them to 10 minutes to avoid a finding.
2. Filter Rules Allow Packets From Any Source
3. Filter Rules Allow Packets To Any Destination
3. Filter Rules Allow Packets To Any Destination
These 2 rules do have to take the role of the internal host on the network as a rule on side of this transaction should specific a specific IP address to avoid a lengthy explanation to the assessor.
4. Filter Rule Allows Packets To A Port Range
5. Filter Rule Allows Packets To A Port
6. Rules Allow Access To Clear-Text Protocol Services
7. Filter Rules That Allow Any Protocol Were Configured
5. Filter Rule Allows Packets To A Port
6. Rules Allow Access To Clear-Text Protocol Services
7. Filter Rules That Allow Any Protocol Were Configured
These 4 rules show that you as a firewall administrator know what and where your data is going.
8. Rules Allow Access To Potentially Unnecessary Services
Good operational hygiene will prevent this problem cropping up. If it doesn't need to be in the rule take it out. If the rule is useless delete it.
9. Clear-Text SNMP In Use
Practically every network I've work on as never used SNMP. Disable it.
10. Syslog Logging Configured With No Encryption
Your Syslog messages between the client and the Syslog server host could ne intercepted. You don't want bad actors intercepting your firewall logs.
No comments:
Post a Comment