Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Visa PCI Firewall Requirements and Windows Networks

from [Spigga] Network Security [Permanent Link]
Subject: Re: Visa PCI Firewall Requirements and Windows Networks
Date: Mon, 9 May 2005 16:17:16 -0500 
We are subject to these requirements as well. For AD its possible to
join a machine to the domain, get the group policy, cache login
credentials then block those ports, this will allow you to enforce the
GP without the risk of open ports or a DC in the DMZ.

Outbound access should be minimized but if windows update is your
patching method I would allow traffic explicitly to the list of
windows update servers, can't be too hard to find.  I recommend using
alternative tools on trusted servers to patch your machine.  Even home
grown scripts, anything that will allow you to open one or two ports
to/from a specific machine on a trusted network rather than to the
Internet.

On 5/6/05, Eric Luke <eric@g2esolutions.com> wrote:

Windows Security Experts and registered CISSP's:
I am helping a company prepare for an upcoming on-site Visa PCI audit
(now required for high volume companies storing credit card information)
and I am wrestling with the firewall requirements and how they should be
implemented in a Windows network.

The requirements state that the card holder data must be protected from
public networks (Internet) by a 2-tiered firewall architecture, this I
can understand...the "edge" firewall protects the DMZ servers by
limiting inbound traffic to selected ports (like 80 and 443) and the
second firewall between the DMZ and a protected "Trusted Zone" where the
cardholder data is stored.  You now have 2 layers of "security" between
the data and the Internet.

So, I have set up that architecture and am now working on the rules for
the firewalls.  Lets say that the database servers are the only things
behind the second firewall.  In a perfect simple networking world I
would now limit incoming and outgoing traffic through that second
firewall to just the database ports (i.e. - 1433, 1434) and applications
that need access to the data only need those ports open.  Sounds simple...

In a Windows network, Active Directory is a nice thing to have around
for managing servers.  Lets say I have an Active Directory Server in the
DMZ (or another separate office network segment).  If I want my Active
Directory Server to interact with the Database servers now I need to
open up port 445 (at least) both directions through the second firewall
to have that functionality.  Reading in "Hacking Exposed" it sounds to
me like having  port 445 opened up into the trusted zone is not the most
secure thing to do if a hacker has made it through the first firewall
and is now in the DMZ "poking around".

How do I solve this dilemma?  I would like those servers to be part of
Active Directory and get the domain security policies, etc.  Is there
some other secure configuration that I am not seeing?  If my active
directory server is not in the DMZ but in a separate office segment I
have the same problem for the web servers. Seems like port 445 is
required in a windows network for ease of management...is that going to
be interpreted by Visa as a "required business protocol"??
Should I be worried about port 445 being open through that second
firewall?  Would I have to have a separate domain controller in my DMZ
and the trusted zone??  That seems excessive.  Please Help!!!

OK, now my next dilemma is that when I read the PCI requirements it
sounds like they want me to limit all outgoing traffic from behind the
both firewalls down to a bare minimum.  If I do that how do I get the
Windows OS on the DMZ and database servers to do autoupdates for
security patches, etc?  (Up-to-date patches is also a PCI requirement.)
Is there a PCI expert out there that really understands what outbound
traffic they are really asking to be limited here?

 From reading Hacking Exposed I understand that if a hacker gets some
trojan placed in the DMZ and the firewall allows all outgoing traffic he
can do nasty things just having inbound 80 and all outbound ports
open...so I understand the desire to limit outbound ports but how do you
do updates...or browse the web for that matter...from inside your network?

 I am guessing I am missing a major conceptual idea here...anybody help
clear me up???

Thanks tons in advance!

-Eric (alias confused)

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Visa PCI Firewall Requirements and Windows Networks, Greg Stiavetti
Next by Date:  Re: To disable SMB packet and secure channel signing enforcement on Windows Server 2003-based domain controllers, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]
Previous by Thread:  Re: Visa PCI Firewall Requirements and Windows Networks, Greg Stiavetti
Next by Thread:  Encrypting remote files with EFS, Zack Schiel
Indexes:  [Date] [Thread] [Top] [All Lists]