WTF is a Managed Firewall?

Dashrender

This blog post - while not the actual law - seems to talk about several of the requirements.
https://www.securitymetrics.com/blog/firewall-pci-compliance-5-things-youre-doing-wrong

@WrCombs said in WTF is a Managed Firewall?:

this what I found @Dashrender From this website:https://blog.rsisecurity.com/pci-compliance-firewall-requirements-pci-dss-req-1/

This is still not the actual PCI compliance regulation...

DustinB3403

@Dashrender said in WTF is a Managed Firewall?:

This is still not the actual PCI compliance regulation...

To be fair the actual regulation could state that you need a literal wall of fire being managed by someone who keeps it burning by throwing gasoline and wood onto it.

Dashrender

@DustinB3403 said in WTF is a Managed Firewall?:

@Dashrender said in WTF is a Managed Firewall?:

This is still not the actual PCI compliance regulation...

To be fair the actual regulation could state that you need a literal wall of fire being managed by someone who keeps it burning by throwing gasoline and wood onto it.

lol - great, actually, let's hope it is, that's so much easier to manage

WrCombs

@Dashrender said in WTF is a Managed Firewall?:

@DustinB3403 said in WTF is a Managed Firewall?:

@Dashrender said in WTF is a Managed Firewall?:

This is still not the actual PCI compliance regulation...

To be fair the actual regulation could state that you need a literal wall of fire being managed by someone who keeps it burning by throwing gasoline and wood onto it.

lol - great, actually, let's hope it is, that's so much easier to manage

I've sited 3 different things, along with @IRJ
the guileline outlined in my post says "Must install and maintain Firewall"

Nothing about a managed firewall.

scottalanmiller

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

WrCombs

@scottalanmiller said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

so we have to hire a company to manage our firewall?

JaredBusch

Official website of the PCI Security Standards Council: https://www.pcisecuritystandards.org/document_library

scotth

@WrCombs said in WTF is a Managed Firewall?:

@scottalanmiller said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

so we have to hire a company to manage our firewall?

No

JaredBusch

https://www.pcisecuritystandards.org/pci_security/glossary#F

https://www.pcisecuritystandards.org/pci_security/glossary#M

scotth

Earlier, he mentioned that his company's payment processor was pushing this on them.

WrCombs

@scotth said in WTF is a Managed Firewall?:

Earlier, he mentioned that his company's payment processor was pushing this on them.

Yeah, I dont know what the hell is going on ; just something that was brought up in the office, and we cant be PCI compliant until we have this ; so That's why i was wondering.

Dashrender

@WrCombs said in WTF is a Managed Firewall?:

@scottalanmiller said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

so we have to hire a company to manage our firewall?

No of course not - it means that someone - anyone - has to be responsible for it - and that person/team should be updating it regularly.

scottalanmiller

@WrCombs said in WTF is a Managed Firewall?:

@scottalanmiller said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

so we have to hire a company to manage our firewall?

Managed Firewall = A firewall with a managed service.

You don't need it, but if you want to call it that, then yes.

It's like having a "hosted server" and asking "what's a hosted server", and the answer is "a server someone hosts for you." Does that mean that you need one? No, you can just use a server normally.

scottalanmiller

@scotth said in WTF is a Managed Firewall?:

Earlier, he mentioned that his company's payment processor was pushing this on them.

Then yes, this implies that the payment process doesn't consider any of their customers to be capable to manage a firewall. Says something about what the payment processor thinks of itself, but they probably know best.

Dashrender

@JaredBusch said in WTF is a Managed Firewall?:

https://www.pcisecuritystandards.org/pci_security/glossary#F

https://www.pcisecuritystandards.org/pci_security/glossary#M

this - @WrCombs this is what you take to your boss and say - these are the PCI compliance requirements, the thing you have to follow. Since this says nothing about a managed firewall, then you don't need to worry about 'managed' firewall from a PCI POV... now the processor might have their own additional shit you have to worry about.. but get that crap in writing so you know exactly what they expect from you.... that should have been part of the agreement your company signed when they started using the processor.

Oh - and thank JB for finding that for you - that's what I was edging you to do on your own - helping you learn research - JB's kinda a god at finding documentation...

JaredBusch

@Dashrender said in WTF is a Managed Firewall?:

@JaredBusch said in WTF is a Managed Firewall?:

https://www.pcisecuritystandards.org/pci_security/glossary#F

https://www.pcisecuritystandards.org/pci_security/glossary#M

this - @WrCombs this is what you take to your boss and say - these are the PCI compliance requirements, the thing you have to follow. Since this says nothing about a managed firewall, then you don't need to worry about 'managed' firewall from a PCI POV... now the processor might have their own additional shit you have to worry about.. but get that crap in writing so you know exactly what they expect from you.... that should have been part of the agreement your company signed when they started using the processor.

Oh - and thank JB for finding that for you - that's what I was edging you to do on your own - helping you learn research - JB's kinda a god at finding documentation...

That is a glossary. not the specifications.

scottalanmiller

@WrCombs said in WTF is a Managed Firewall?:

@scotth said in WTF is a Managed Firewall?:

Earlier, he mentioned that his company's payment processor was pushing this on them.

Yeah, I dont know what the hell is going on ; just something that was brought up in the office, and we cant be PCI compliant until we have this ; so That's why i was wondering.

Yes you can, someone is just full of shit trying to sell you something.

As always... do as you are told, but recognize when someone is full of crap and making up am implausible lie. Don't repeat obvious lies as if they were true, but accept that your business is run by idiots who don't know what is plausible, what is true, etc.

So YOUR business must now believe this, so let it go. They've decided to say anything to justify doing what they want. It's that simple. It's not your place at work to disagree. But outside of work, don't act like this as any foundation in reality. It's purely made up.

scottalanmiller

@Dashrender said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

@scottalanmiller said in WTF is a Managed Firewall?:

@WrCombs said in WTF is a Managed Firewall?:

title says it all; Aren't all Firewalls Managed???

No, the majority are just abandoned. A managed firewall is a service by which a company manages a firewall.

so we have to hire a company to manage our firewall?

No of course not - it means that someone - anyone - has to be responsible for it - and that person/team should be updating it regularly.

The problem here is that it's not a technical term, it's a marketing term. One used almost exclusively by ISPs. So you can't manage it yourself and claim to be doing this, that doesn't fit any standard use of the term.

WrCombs

@Dashrender said in WTF is a Managed Firewall?:

@JaredBusch said in WTF is a Managed Firewall?:

https://www.pcisecuritystandards.org/pci_security/glossary#F

https://www.pcisecuritystandards.org/pci_security/glossary#M

this - @WrCombs this is what you take to your boss and say - these are the PCI compliance requirements, the thing you have to follow. Since this says nothing about a managed firewall, then you don't need to worry about 'managed' firewall from a PCI POV... now the processor might have their own additional shit you have to worry about.. but get that crap in writing so you know exactly what they expect from you.... that should have been part of the agreement your company signed when they started using the processor.

Oh - and thank JB for finding that for you - that's what I was edging you to do on your own - helping you learn research - JB's kinda a god at finding documentation...

I Literally found 4 documents that said the exact same thing. . . all of which came from the PCI site.

But Thanks @JaredBusch for posting it.

scotth

It's a pure money grab. You have to buy this from us or we'll shut you off, because gubament