Windows Security Experts and registered CISSP's:
I am helping a company prepare for an upcoming on-site Visa PCI audit
(now required for high volume companies storing credit card information)
and I am wrestling with the firewall requirements and how they should be
implemented in a Windows network.
The requirements state that the card holder data must be protected from
public networks (Internet) by a 2-tiered firewall architecture, this I
can understand...the "edge" firewall protects the DMZ servers by
limiting inbound traffic to selected ports (like 80 and 443) and the
second firewall between the DMZ and a protected "Trusted Zone" where the
cardholder data is stored. You now have 2 layers of "security" between
the data and the Internet.
So, I have set up that architecture and am now working on the rules for
the firewalls. Lets say that the database servers are the only things
behind the second firewall. In a perfect simple networking world I
would now limit incoming and outgoing traffic through that second
firewall to just the database ports (i.e. - 1433, 1434) and applications
that need access to the data only need those ports open. Sounds simple...
In a Windows network, Active Directory is a nice thing to have around
for managing servers. Lets say I have an Active Directory Server in the
DMZ (or another separate office network segment). If I want my Active
Directory Server to interact with the Database servers now I need to
open up port 445 (at least) both directions through the second firewall
to have that functionality. Reading in "Hacking Exposed" it sounds to
me like having port 445 opened up into the trusted zone is not the most
secure thing to do if a hacker has made it through the first firewall
and is now in the DMZ "poking around".
How do I solve this dilemma? I would like those servers to be part of
Active Directory and get the domain security policies, etc. Is there
some other secure configuration that I am not seeing? If my active
directory server is not in the DMZ but in a separate office segment I
have the same problem for the web servers. Seems like port 445 is
required in a windows network for ease of management...is that going to
be interpreted by Visa as a "required business protocol"??
Should I be worried about port 445 being open through that second
firewall? Would I have to have a separate domain controller in my DMZ
and the trusted zone?? That seems excessive. Please Help!!!
OK, now my next dilemma is that when I read the PCI requirements it
sounds like they want me to limit all outgoing traffic from behind the
both firewalls down to a bare minimum. If I do that how do I get the
Windows OS on the DMZ and database servers to do autoupdates for
security patches, etc? (Up-to-date patches is also a PCI requirement.)
Is there a PCI expert out there that really understands what outbound
traffic they are really asking to be limited here?
From reading Hacking Exposed I understand that if a hacker gets some
trojan placed in the DMZ and the firewall allows all outgoing traffic he
can do nasty things just having inbound 80 and all outbound ports
open...so I understand the desire to limit outbound ports but how do you
do updates...or browse the web for that matter...from inside your network?
I am guessing I am missing a major conceptual idea here...anybody help
clear me up???
Thanks tons in advance!
-Eric (alias confused)
---------------------------------------------------------------------------
---------------------------------------------------------------------------
