lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 9 May 2011 23:40:59 -0700
From: Tracy Reed <treed@...raviolet.org>
To: "Dobbins, Roland" <rdobbins@...or.net>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Sony: No firewall and no patches

On Tue, May 10, 2011 at 05:07:39AM +0000, Dobbins, Roland spake thusly:
> Stateful firewalls have no place in front of servers, where every incoming
> request is unsolicited, and therefore there is no state to inspect in the
> first place.

The PCI SSC requires a stateful firewall in front of servers processing credit
card data. Not only to block inbound access to any ports or services
accidentally exposed but the outbound policy must also be default deny to make
it more difficult to exfiltrate stolen data. If you have traffic going out to a
high numbered port and you are not keeping state how do you know if that is a
reply packet to an existing inbound connection or if it is an unauthorized
outbound connection?

Of course, the network should be properly segmented so that only the servers
processing payment data are in-scope. You may be right about not putting a
stateful firewall in front of the gaming servers (in Sony's case).

> Where stateful firewalls in front of Web servers are incorrectly mandated by
> various regulatory frameworks, making use of mod_security or its equivalent
> on the Web servers themselves ensures compliance without creating a DDoS
> chokepoint.

If you don't have a stateful firewall blocking outbound connections why would
the traffic even have to go through mod_security?

-- 
Tracy Reed

Content of type "application/pgp-signature" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ