virtual firewalls -- compliance
|
View:
New views
18 Messages
—
Rating Filter:
Alert me
|
 |
virtual firewalls -- compliance
by Terry-7
::
Rate this Message:
Hello all,
I am throwing around the idea of using linux firewalls in vmware for customer environments. The customers may or may not have HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any of you have experience heading down this route? PCIDSS doesn't explicitly state problems with virtual firewalls, it seems to focus on the logic of the rules. Thanks! |
|
|
Re: virtual firewalls -- compliance
by Jeremiah Cornelius
::
Rate this Message:
I have done this - where the various firewall interfaces are bridged to
real, isolated nics, and to virtual internal networks that connect to VMs with specific services. The mistake is to think of VMware as an additional security measure. It can be configured in a way to enforce a security architecture or policy - but is not itself a mitigating factor. It is a good way to partition a server for multiple Internet workloads - SMTP Smarthost on one VM, SSL Webserver on another, WebMail server on a third, and the firewall on a fourth. No one connects to the Internet except through the firewall. No VM connects to another except through vnets that the firewall enforces policy on. At the cost of a couple of NICs, you can assign a specific DMZ to each of these hosts - not a bad strategy, if clearly planned. As a technology I view its use similarly to chrooted environments. Policy-based isolation - but extending to the network, not just the filesystem. -- Jeremiah -------------------------------------------------- From: "Terry" <td3201@...> Sent: Thursday, May 08, 2008 12:37 PM To: <firewalls@...> Subject: virtual firewalls -- compliance > Hello all, > > I am throwing around the idea of using linux firewalls in vmware for > customer environments. The customers may or may not have > HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any > of you have experience heading down this route? PCIDSS doesn't > explicitly state problems with virtual firewalls, it seems to focus on > the logic of the rules. > > Thanks! > |
|
|
RE: virtual firewalls -- compliance
by Srinivasa Addepalli
::
Rate this Message:
I don't think there is any restriction on using virtual firewalls as long as
it is deployed in the network to protect card holder servers. PCIDSS does not exactly define actual requirements of security devices. Based on my interpretation of standards and typical industrial best practices, I have put some text here at: http://netsecinfo.blogspot.com/2008/03/pci-dss-utm-technology-requirements.h tml I hope it helps. Thanks Srini -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Terry Sent: Thursday, May 08, 2008 12:37 PM To: firewalls@... Subject: virtual firewalls -- compliance Hello all, I am throwing around the idea of using linux firewalls in vmware for customer environments. The customers may or may not have HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any of you have experience heading down this route? PCIDSS doesn't explicitly state problems with virtual firewalls, it seems to focus on the logic of the rules. Thanks! ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. |
|
|
RE: virtual firewalls -- compliance
by Craig Wright-2
::
Rate this Message:
PCI-DSS v1.1 states at 1.4 "Prohibit direct public access between external networks and any system component that stores cardholder data" A virtual system is a direct access. You have trusted and untrusted on the same component. HIPAA is worse. You have a number of hosts at different levels shared. This is a law suit waiting to occur. Other standards are the same. All I have to say is this is a BAD idea. BAD! Regards, Craig Wright (GSE-Compliance) Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright@... +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@.... BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of Terry Sent: Friday, 9 May 2008 5:37 AM To: firewalls@... Subject: virtual firewalls -- compliance Hello all, I am throwing around the idea of using linux firewalls in vmware for customer environments. The customers may or may not have HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any of you have experience heading down this route? PCIDSS doesn't explicitly state problems with virtual firewalls, it seems to focus on the logic of the rules. Thanks! |
|
|
Re: virtual firewalls -- compliance
by Joseph Jenkins
::
Rate this Message:
That is true that it doesn't say anything about whether the firewalls
need to be physical devices or not. The only thing I would be wary of is what is coming down in the next version which is supposed to be out in a couple of months. On May 8, 2008, at 12:37 PM, Terry wrote: > Hello all, > > I am throwing around the idea of using linux firewalls in vmware for > customer environments. The customers may or may not have > HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any > of you have experience heading down this route? PCIDSS doesn't > explicitly state problems with virtual firewalls, it seems to focus on > the logic of the rules. > > Thanks! |
|
|
Re: virtual firewalls -- compliance
by Chris Clymer-2
::
Rate this Message:
Terry wrote:
> Hello all, > > I am throwing around the idea of using linux firewalls in vmware for > customer environments. The customers may or may not have > HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any > of you have experience heading down this route? PCIDSS doesn't > explicitly state problems with virtual firewalls, it seems to focus on > the logic of the rules. > > Thanks! > denies running your firewalls in virtualization. However, unless the purpose of the firewall is strictly to manage the traffic in and out of virtual servers on the same host the firewall is on, I would strongly advocate not virtualizing your firewall. Virtualization has obvious wonderful performance and cost benefits, but placing your security devices into it has the potential to greatly increase their exposure. There was an excellent presentation done at last years SANSFire which demonstrated multiple ways to jump from a virtual guest to the host...and therefore have the ability to do anything you want to any guest on that system. So unless this is for a lab environment, spend a few extra bucks and buy hardware for your firewalls. You'll be glad you did. |
|
|
Re: virtual firewalls -- compliance
by Ron Brown-2
::
Rate this Message:
I may be old fashioned, but for me (and the environment I admin) firewalls need to be dedicated systems, running on dedicated hardware with discreet physical network interfaces. While I'm all for virtualization of application servers, in a security role I can't support the concept of a security device sharing it's hardware with any other applications in a production environment, as the benefits (space, power, hvac, cost savings, etc) are outweighed by the additional possible attack vectors that would be introduced by the host system and neighboring VM's. Also, while I am not aware of any specific reference to this in the various regulatory requirements, one of the questions asked of me in a recent HIPAA audit was something to the effect of "do any of your network perimeter devices serve any purpose other than that of security and access control?"
Just my opinion though :-) Cheers! Ron >>> Terry <td3201@...> 5/8/2008 3:37 PM >>> Hello all, I am throwing around the idea of using linux firewalls in vmware for customer environments. The customers may or may not have HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any of you have experience heading down this route? PCIDSS doesn't explicitly state problems with virtual firewalls, it seems to focus on the logic of the rules. Thanks! CONFIDENTIALITY NOTICE: This email message, including any attachments, is for the use of the intended recipient(s) only and may contain information that is privileged, confidential, and prohibited from unauthorized disclosure under applicable law. If you are not the intended recipient of this message, any dissemination, distribution, or copying of this message is strictly prohibited. If you received this message in error, please notify the sender by reply email and destroy all copies of the original message and attachments. |
|
|
Re: virtual firewalls -- compliance
by Erik Harrison-3
::
Rate this Message:
That's an interesting problem. For PCI - at least in my interpretation (please correct me if you do these assessments for a living) - as long as the VM parent, or the linux VM children are not controlled or accessed by other customers and you as the provider (or whoever manages the box) adhere to the DSS requirements, it should audit well. It's about segregation, logical or physical, as long as a client doesnt have access to break out and tamper with config which could alter their segregation, I think it's fine.
Now, if you're going to host multiple customers behind those firewalls, you'll want to VLAN each of them and probably not share a netblock among them - again for isolation purposes. But again.. I'm not specialized in this area. If you find the answer to this, please let me know. I'd love to get this straight as well. On Thu, May 8, 2008 at 3:37 PM, Terry <td3201@...> wrote: Hello all, |
|
|
Re: virtual firewalls -- compliance
by David M. Zendzian
::
Rate this Message:
I've been thinking about this one for a while as I have both a hosting
service & do PCI work on an almost daily basis. What I have come to conclude is that you will most likely want to put your firewall devices (virtual or otherwise) on different physical hardware from the other application servers you are running. You will also want to be sure that the external firewall segments are plugged into different switches from your internal segments (different physical devices are better than VLANs) Now you can set it up having your firewalls as just another virtual machine, but life will be easier to show separation of duties, "one primary use" (yes vmware/xen/etc will all have multiple servers together, and it depends on the assessor validating your environment, but I personally feel that firewall and networking devices are definitely different functions that application/web/db/mail/... servers and as such I recommend that firewall devices be on different physical devices from your other application servers. I would also like to point out that within the virtual host server, you will find that both network & server requirements are both mixed together as you are most likely brining multiple vlans into the host server and then allocating access to each vlan (bridges under xen, etc) to each virtual server. As such, you now have network & server characteristics combined into a single device. This will make it more difficult to show that each component is properly configured, maintained & monitored. You will need to be sure to have all of your documentation in order and use as many tools as possible to standardize how each function is maintained and securely monitored. Also, will the virtual host machine be maintained by the same core team as the firewall / database / web / mail / etc services? And you mentioned PCI doesn't specifically mention virtual firewalls, that is true, but it does specify firewall/router/server configuration standards, policies, change management, security monitoring and a host of other requirements that will need to be met even if you have only one customer needing to have compliant services. Good luck David M. Zendzian Managing Partner ZZ Servers, LLC: http://www.zzservers.com PS you may want to consider other platforms if you are reselling virtualization ;) Terry wrote: > Hello all, > > I am throwing around the idea of using linux firewalls in vmware for > customer environments. The customers may or may not have > HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any > of you have experience heading down this route? PCIDSS doesn't > explicitly state problems with virtual firewalls, it seems to focus on > the logic of the rules. > > Thanks! > > |
|
|
|
|
|
Re: virtual firewalls -- compliance
by Babu N
::
Rate this Message:
Hi,
Are you a service provider trying to provide secure access to your customers using a virtual firewall ? If so, you need to consider the following: - Whether to use OS-based virtualization (OpenVZ type) or hyper-visor based virtualization ( Xen/VmWare type) - performance implications of virtual firewalls. They tend to be lower compared to physical devices due to binary translation/instruction conversion. - Usage of Intel-VT/AMD-V as underlying hardware - inter-VM access control issues. Thanks, Babu At 01:07 AM 5/9/2008, Terry wrote: >Hello all, > >I am throwing around the idea of using linux firewalls in vmware for >customer environments. The customers may or may not have >HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any >of you have experience heading down this route? PCIDSS doesn't >explicitly state problems with virtual firewalls, it seems to focus on >the logic of the rules. > >Thanks! ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. |
|
|
RE: virtual firewalls -- compliance
by Dan Lynch-4
::
Rate this Message:
I find this discussion interesting from a slightly different angle than
the perspective of PCI or other standards compliance. I tend to agree with Craig's view that there is inadequate segregation between guests running on different VMs of the same host, whether they be application servers or virtualized security appliances. There are multiple demonstrated guest breakout techniques for nearly all virtualization technologies. Still, let me directly quote the supervisor of our Windows admin team: >"Department of Homeland Security and NSA have > certified the VMware virtual switch and OS as being > equivalent to physical separation." He's referring to ESX3 -- the platform on which his group hopes to run multiple virtualized DMZ-based public Windows Server 2003 web servers, with the host OS directly connected to a private internal network. This is a strategy on which I requested comments from the list only a few weeks ago. Thoughts? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Craig Wright > Sent: Friday, May 09, 2008 4:51 PM > To: Terry; firewalls@... > Subject: RE: virtual firewalls -- compliance > > > PCI-DSS v1.1 states at 1.4 > "Prohibit direct public access between external networks and > any system component that stores cardholder data" > > A virtual system is a direct access. You have trusted and > untrusted on the same component. HIPAA is worse. You have a > number of hosts at different levels shared. This is a law > suit waiting to occur. > > Other standards are the same. All I have to say is this is a > BAD idea. BAD! > > Regards, > Craig Wright (GSE-Compliance) > > > Craig Wright > Manager, Risk Advisory Services > > Direct : +61 2 9286 5497 > Craig.Wright@... > +61 417 683 914 > > BDO Kendalls (NSW-VIC) Pty. Ltd. > Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney > NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ > > The information in this email and any attachments is > confidential. If you are not the named addressee you must not > read, print, copy, distribute, or use in any way this > transmission or any information it contains. If you have > received this message in error, please notify the sender by > return email, destroy all copies and delete it from your system. > > Any views expressed in this message are those of the > individual sender and not necessarily endorsed by BDO > Kendalls. You may not rely on this message as advice unless > subsequently confirmed by fax or letter signed by a Partner > or Director of BDO Kendalls. It is your responsibility to > scan this communication and any files attached for computer > viruses and other defects. BDO Kendalls does not accept > liability for any loss or damage however caused which may > result from this communication or any files attached. A full > version of the BDO Kendalls disclaimer, and our Privacy > statement, can be found on the BDO Kendalls website at > http://www.bdo.com.au/ or by emailing mailto:administrator@.... > > BDO Kendalls is a national association of separate > partnerships and entities. Liability limited by a scheme > approved under Professional Standards Legislation. > -----Original Message----- > > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Terry > Sent: Friday, 9 May 2008 5:37 AM > To: firewalls@... > Subject: virtual firewalls -- compliance > > Hello all, > > I am throwing around the idea of using linux firewalls in > vmware for customer environments. The customers may or may > not have HIPAA/PCI/sOX/etc requirements. This is in the > planning stages. Any of you have experience heading down > this route? PCIDSS doesn't explicitly state problems with > virtual firewalls, it seems to focus on the logic of the rules. > > Thanks! > > |
|
|
RE: virtual firewalls -- compliance
by Craig Wright-2
::
Rate this Message:
From a compliance perspective, separate devices is just that. It does not matter if virtual hosts do or do not work, the are the same device and thus are a single device with multiple purposes. Whether you can or if it will work is irrelevant. This is something where a breach is decided in court. As usch all that matters is how a judge will read this. Craig Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright@... +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@.... BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: Dan Lynch [mailto:DLynch@...] Sent: Tuesday, 13 May 2008 2:53 AM To: Craig Wright; Terry; firewalls@... Subject: RE: virtual firewalls -- compliance I find this discussion interesting from a slightly different angle than the perspective of PCI or other standards compliance. I tend to agree with Craig's view that there is inadequate segregation between guests running on different VMs of the same host, whether they be application servers or virtualized security appliances. There are multiple demonstrated guest breakout techniques for nearly all virtualization technologies. Still, let me directly quote the supervisor of our Windows admin team: >"Department of Homeland Security and NSA have > certified the VMware virtual switch and OS as being > equivalent to physical separation." He's referring to ESX3 -- the platform on which his group hopes to run multiple virtualized DMZ-based public Windows Server 2003 web servers, with the host OS directly connected to a private internal network. This is a strategy on which I requested comments from the list only a few weeks ago. Thoughts? Dan Lynch, CISSP Information Technology Analyst County of Placer Auburn, CA > -----Original Message----- > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Craig Wright > Sent: Friday, May 09, 2008 4:51 PM > To: Terry; firewalls@... > Subject: RE: virtual firewalls -- compliance > > > PCI-DSS v1.1 states at 1.4 > "Prohibit direct public access between external networks and > any system component that stores cardholder data" > > A virtual system is a direct access. You have trusted and > untrusted on the same component. HIPAA is worse. You have a > number of hosts at different levels shared. This is a law > suit waiting to occur. > > Other standards are the same. All I have to say is this is a > BAD idea. BAD! > > Regards, > Craig Wright (GSE-Compliance) > > > Craig Wright > Manager, Risk Advisory Services > > Direct : +61 2 9286 5497 > Craig.Wright@... > +61 417 683 914 > > BDO Kendalls (NSW-VIC) Pty. Ltd. > Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney > NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ > > The information in this email and any attachments is > confidential. If you are not the named addressee you must not > read, print, copy, distribute, or use in any way this > transmission or any information it contains. If you have > received this message in error, please notify the sender by > return email, destroy all copies and delete it from your system. > > Any views expressed in this message are those of the > individual sender and not necessarily endorsed by BDO > Kendalls. You may not rely on this message as advice unless > subsequently confirmed by fax or letter signed by a Partner > or Director of BDO Kendalls. It is your responsibility to > scan this communication and any files attached for computer > viruses and other defects. BDO Kendalls does not accept > liability for any loss or damage however caused which may > result from this communication or any files attached. A full > version of the BDO Kendalls disclaimer, and our Privacy > statement, can be found on the BDO Kendalls website at > http://www.bdo.com.au/ or by emailing mailto:administrator@.... > > BDO Kendalls is a national association of separate > partnerships and entities. Liability limited by a scheme > approved under Professional Standards Legislation. > -----Original Message----- > > From: listbounce@... > [mailto:listbounce@...] On Behalf Of Terry > Sent: Friday, 9 May 2008 5:37 AM > To: firewalls@... > Subject: virtual firewalls -- compliance > > Hello all, > > I am throwing around the idea of using linux firewalls in > vmware for customer environments. The customers may or may > not have HIPAA/PCI/sOX/etc requirements. This is in the > planning stages. Any of you have experience heading down > this route? PCIDSS doesn't explicitly state problems with > virtual firewalls, it seems to focus on the logic of the rules. > > Thanks! > > |
|
|
Re: virtual firewalls -- compliance
by Chris Brenton
::
Rate this Message:
On Thu, May 8, 2008 at 3:37 PM, Terry <td3201@...> wrote: > Hello all, > > I am throwing around the idea of using linux firewalls in > vmware for customer environments. The customers may or may > not have > HIPAA/PCI/sOX/etc requirements. This is in the planning > stages. Any of you have experience heading down this route? > PCIDSS doesn't explicitly state problems with virtual > firewalls, it seems to focus on the logic of the rules. <soap box> Personally, I hate using specs to try and define the level of security. They tend to reflect the lowest common denominator and motivate organizations to "audit well" rather than perform a true risk analysis and deploy a security solution which matches that business need. </soap box> The above specs are general enough that a pass/fail is going to depend on who is doing the analysis. For example as you mentioned above, section 1 of PCI does not define a required architecture for a firewall. So if you are running virtual it's going to depend on the auditor's interpretation of PCI as to whether you pass/fail. Of course these days auditing is a commodity. If you don't like the results you get from one auditor, simply bring in another. There is nothing in PCI that says you can't do that. ;-) I think the bigger question here is "Is vitalizing a perimeter device a good idea for our environment?". It certainly has some pluses in that it can reduce hardware costs and simplify management. I can see where vitalization would be attractive to anyone selling a managed security solution. This is why you are seeing companies like Fortinet, Juniper, Cisco, Checkpoint, etc. moving their higher end products into this arena. When we start asking ourselves "is it safe?" however I think the answer changes a bit. If I'm running two virtual firewalls for two different clients, I'm relying on bug free software to maintain that separation. Personally I have yet to see a single vendor prove they can write code well enough for that. In my travels I've seen clients get whacked because they have relied on VLANs to segregate their DMZ and internal network (which can be argued is a "virtual system" because its nothing more than multiple virtual switches running on a single piece of hardware). So now let's move that problematic technology to the underlying architecture of the firewall... and what could possibly go wrong. ;-) So the bottom line is I would rely on a risk assessment rather than a specification to decide if it's a good idea. If from a business perspective the benefits outweigh the potential security risks, you are good to go. If you decide virtual systems introduces too much of a risk exposure, avoid the implementation. HTH, Chris |
|
|
Re: virtual firewalls -- compliance
by David M. Zendzian
::
Rate this Message:
I would disagree with the premise that virtual servers conflict with the
single function requirement because the function of a virtual server is to provide virtualized servers and as such is a logical equivalent of mainframe logical partitions (a less mature equivalent, but similar model). Yes i will agree that current virtualization is nowhere as mature as mainframe logical partitions. However giving the need and path the technology is going those controls will advance to such a point that virtualization will have similar acceptance as logical partitions currently do. I would also point out that you can get mainframe based virtualization from IBM and that shared hosting and mainframe systems are able to be meet the intent of PCI and other compliant requirements. So i basically see the host virtualization server as having one primary service which is to run controlled virtualized servers, each of those virtual servers would then have its own host requirements. For it to meet the various compliance requirements the host server will need to have extensive controls to mitigate the risks inherent to virtualization, but i believe that the intent of the control requirements can be met with existing tools and technologies. As for the exploits out there...there will always be exploits and the cat-n-mouse game between hackers and IT personnel but there is also the balance between security and cost. I know many readers of this list subscribe to a zero tollerance policy, but not every ecommerce site is going to spend 2000+ per month plus 50k in hardware to sell online. In fact if we follow the model of single use and prior exploits people would have to use dedicated equipment for: Firewalls, Load Balancers, Switches, Routers, Web Servers, Database Servers, DNS servers, etc... Just about everything in the past has had exploits, but does that mean we can't use them in a compliant environment? Or does it mean that we are unable to use them in a hosted environment? Does that mean that we have to get rid of all mainframes if they are providing virtual configurations or not the same function on all logical partitions? How about databases? With the use of stored procedures databases are more than storage repositories, they are actually part of the applications that use them. If we have multiple applications, all doing extensive stored procedures and application hooks, does that mean we can't use them in a compliant environment because it is not single function or that an exploit in one application could effect the others? So what is the solution? Totally secure the environment to a point where operations and security cost more than the environment brings in, or find a combination of best practices that allows a business to hopefully make more than it costs to operate. From an assessors viewpoint, i do not think that anyone can say virtualization is plug-n-play accepted it will come down to configuration standards, expertise of the team, tools and techniques in use and how the assessment of these controls goes (the same controls could be in use in multiple companies, but the level of expertise of the staff and the deployment and use of tools can vary widely). Like it was said before, it will come to a judges ruling if there was negligence or incompetence involved in a compromise. Just saying broadly that there are risks and possible exploits for a system do not make someone negligent in their duties by deploying such a system. So how about instead of just dissing the idea and looking for why it can't be done, we instead have a discussion on how did these other technologies become accepted for hosting use and what will it take to meet the intent of the compliance requirements. Regards David M. Zendzian PS And yes I have a vested interest in this as I am a Managing Partner with ZZ Servers, a Business Hosting provider that provides not only virtual firewalls but also virtual servers that are commonly used in combination with collocated and leased services. I also am QSA certified and would rather spend my time working with partners on how to best secure and understand their environment than tell them that they "can't do that" and to just close up shop or go out & spend 100K for a "Real" solution :-D Craig Wright wrote: > From a compliance perspective, separate devices is just that. It does not matter if virtual hosts do or do not work, the are the same device and thus are a single device with multiple purposes. > > Whether you can or if it will work is irrelevant. This is something where a breach is decided in court. As usch all that matters is how a judge will read this. > > Craig > > > Craig Wright > Manager, Risk Advisory Services > > Direct : +61 2 9286 5497 > Craig.Wright@... > +61 417 683 914 > > BDO Kendalls (NSW-VIC) Pty. Ltd. > Level 19, 2 Market Street Sydney NSW 2000 > GPO BOX 2551 Sydney NSW 2001 > Fax +61 2 9993 9497 > http://www.bdo.com.au/ > > The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. > > Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@.... > > BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. > -----Original Message----- > > From: Dan Lynch [mailto:DLynch@...] > Sent: Tuesday, 13 May 2008 2:53 AM > To: Craig Wright; Terry; firewalls@... > Subject: RE: virtual firewalls -- compliance > > I find this discussion interesting from a slightly different angle than > the perspective of PCI or other standards compliance. > > I tend to agree with Craig's view that there is inadequate segregation > between guests running on different VMs of the same host, whether they > be application servers or virtualized security appliances. There are > multiple demonstrated guest breakout techniques for nearly all > virtualization technologies. > > Still, let me directly quote the supervisor of our Windows admin team: > > >> "Department of Homeland Security and NSA have >> certified the VMware virtual switch and OS as being >> equivalent to physical separation." >> > > He's referring to ESX3 -- the platform on which his group hopes to run > multiple virtualized DMZ-based public Windows Server 2003 web servers, > with the host OS directly connected to a private internal network. This > is a strategy on which I requested comments from the list only a few > weeks ago. > > Thoughts? > > > Dan Lynch, CISSP > Information Technology Analyst > County of Placer > Auburn, CA > > > >> -----Original Message----- >> From: listbounce@... >> [mailto:listbounce@...] On Behalf Of Craig Wright >> Sent: Friday, May 09, 2008 4:51 PM >> To: Terry; firewalls@... >> Subject: RE: virtual firewalls -- compliance >> >> >> PCI-DSS v1.1 states at 1.4 >> "Prohibit direct public access between external networks and >> any system component that stores cardholder data" >> >> A virtual system is a direct access. You have trusted and >> untrusted on the same component. HIPAA is worse. You have a >> number of hosts at different levels shared. This is a law >> suit waiting to occur. >> >> Other standards are the same. All I have to say is this is a >> BAD idea. BAD! >> >> Regards, >> Craig Wright (GSE-Compliance) >> >> >> Craig Wright >> Manager, Risk Advisory Services >> >> Direct : +61 2 9286 5497 >> Craig.Wright@... >> +61 417 683 914 >> >> BDO Kendalls (NSW-VIC) Pty. Ltd. >> Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney >> NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ >> >> The information in this email and any attachments is >> confidential. If you are not the named addressee you must not >> read, print, copy, distribute, or use in any way this >> transmission or any information it contains. If you have >> received this message in error, please notify the sender by >> return email, destroy all copies and delete it from your system. >> >> Any views expressed in this message are those of the >> individual sender and not necessarily endorsed by BDO >> Kendalls. You may not rely on this message as advice unless >> subsequently confirmed by fax or letter signed by a Partner >> or Director of BDO Kendalls. It is your responsibility to >> scan this communication and any files attached for computer >> viruses and other defects. BDO Kendalls does not accept >> liability for any loss or damage however caused which may >> result from this communication or any files attached. A full >> version of the BDO Kendalls disclaimer, and our Privacy >> statement, can be found on the BDO Kendalls website at >> http://www.bdo.com.au/ or by emailing mailto:administrator@.... >> >> BDO Kendalls is a national association of separate >> partnerships and entities. Liability limited by a scheme >> approved under Professional Standards Legislation. >> -----Original Message----- >> >> From: listbounce@... >> [mailto:listbounce@...] On Behalf Of Terry >> Sent: Friday, 9 May 2008 5:37 AM >> To: firewalls@... >> Subject: virtual firewalls -- compliance >> >> Hello all, >> >> I am throwing around the idea of using linux firewalls in >> vmware for customer environments. The customers may or may >> not have HIPAA/PCI/sOX/etc requirements. This is in the >> planning stages. Any of you have experience heading down >> this route? PCIDSS doesn't explicitly state problems with >> virtual firewalls, it seems to focus on the logic of the rules. >> >> Thanks! >> >> >> > > > |
|
|
Re: virtual firewalls -- compliance
by David M. Zendzian
::
Rate this Message:
One more note on this topic.
In doing some searches I found the following PCI discussion regarding 2.2.1 (single use of machine): http://forum.aegenis.com/archive/index.php?t-61.html I know this won't settle the argument :) but hopefully it will continue the discussion (offline?) where people can determine what is needed to accept virtualization for both firewalls and production servers in compliant environments. David |
|
|
Re: virtual firewalls -- compliance
by styler
::
Rate this Message:
All,
Just wanted to throw this in - we're using a virtual firewall from Stonesoft (see link) in our environment: http://www.stonesoft.com/en/products_and_solutions/solutions/technology_solutions/virtual_environments/ It's been certified by ICSA labs as PCI compliant and multiple virtual firewalls can be centrally managed. I've also heard that they're IPS product will certified for use soon. Sam Firewall Administrator
|
|
|
RE: virtual firewalls -- compliance
by Craig Wright-2
::
Rate this Message:
See "Santa Claus, Unicorns, and PCI Compliant Products" There's no such thing as a "PCI Compliant" product (excepting PEDs). Note: There is a "Listing of PCI Security Standards Council Approved PIN Entry Devices" at: https://www.pcisecuritystandards.org/pin/pedapprovallist.html_. The PED's are the only products to have PCI SSC approval. Strange... A google search on " site:www.icsalabs.com PCI Stonesoft" gets nothing. Stonesoft is ICSA labs certified - it is not a PCI compliant product as there is no such thing. ICSA is testing Web Application Firewalls for PCI-DSS standards compatibility - this is not the same thing. http://www.icsalabs.com/icsa/topic.php?tid=8913$2e2258c8-68384de7$d1d5-02872c54 Notice that Stonesoft is not a WAF. I do not even know of a PCI "Product capability assurance report" for stonesoft. If there is it is really new - that is after this email. Next, Stonbesoft is ONLY ICSA certified in NAT mode and NOT bridge mode. If you read the report you will see: "The StoneGate was a router-based product that packet filtered network services inbound and outbound. While the Stonegate does supports an IP only bridging mode, the product was configured in NAT mode for inbound and outbound services " On top of this, there are issues that have to be addressed when installing it to make it pass a PCI audit. In the ICSA test there where a number of issues that Stonesoft needed to fix: "The following logging criteria violations were found by the Network Security Lab team during testing and addressed by Stonesoft Inc: . The product did not log certain ICMP messages sent directly to or through it. . The product did not log certain raw IP Protocols directed to or through it. . The product allowed TCP packets inbound and outbound without a properly established TCP . session for RSSP services. . The product was susceptible to a variety of trivial Denial-of-Service attacks. . The product incorrectly terminated TCP connections when sent spoofed/invalid RST packets." So it is NOT PCI compliant. It may be setup within a control framework that could be PCI compliant, this is NOT the same thing. Regards, Craig Wright GSE Craig Wright Manager, Risk Advisory Services Direct : +61 2 9286 5497 Craig.Wright@... +61 417 683 914 BDO Kendalls (NSW-VIC) Pty. Ltd. Level 19, 2 Market Street Sydney NSW 2000 GPO BOX 2551 Sydney NSW 2001 Fax +61 2 9993 9497 http://www.bdo.com.au/ The information in this email and any attachments is confidential. If you are not the named addressee you must not read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received this message in error, please notify the sender by return email, destroy all copies and delete it from your system. Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator@.... BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved under Professional Standards Legislation. -----Original Message----- From: listbounce@... [mailto:listbounce@...] On Behalf Of styler Sent: Wednesday, 11 June 2008 10:40 PM To: firewalls@... Subject: Re: virtual firewalls -- compliance All, Just wanted to throw this in - we're using a virtual firewall from Stonesoft (see link) in our environment: http://www.stonesoft.com/en/products_and_solutions/solutions/technology_solutions/virtual_environments/ It's been certified by ICSA labs as PCI compliant and multiple virtual firewalls can be centrally managed. I've also heard that they're IPS product will certified for use soon. Sam Firewall Administrator Terry-7 wrote: > > Hello all, > > I am throwing around the idea of using linux firewalls in vmware for > customer environments. The customers may or may not have > HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any > of you have experience heading down this route? PCIDSS doesn't > explicitly state problems with virtual firewalls, it seems to focus on > the logic of the rules. > > Thanks! > > -- View this message in context: http://www.nabble.com/virtual-firewalls----compliance-tp17157866p17776593.html Sent from the Firewall (securityfocus.com) mailing list archive at Nabble.com. |
| Free embeddable forum powered by Nabble | Forum Help |
