| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 May 2011 06:47:58 +0000 From: "Dobbins, Roland" <rdobbins@...or.net> To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Sony: No firewall and no patches On May 10, 2011, at 1:40 PM, Tracy Reed wrote: > If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a > reply packet to an existing inbound connection or if it is an unauthorized outbound connection? You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. This is a basic network access policy Best Current Practice (BCP). 'Client-side' traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely different NIC on a completely different, isolated segment with proxies and so forth. And all management access should take place via an OOB/DCN management network, on yet another NIC/segment. And mod_security will pass PCI DSS audits just fine. As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others. It should be re-factored to an outcomes-based model, IMHO. ----------------------------------------------------------------------- Roland Dobbins <rdobbins@...or.net> // <http://www.arbornetworks.com> The basis of optimism is sheer terror. -- Oscar Wilde _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists