WTF is a Managed Firewall?
-
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@DustinB3403 said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
This is still not the actual PCI compliance regulation...
To be fair the actual regulation could state that you need a literal wall of fire being managed by someone who keeps it burning by throwing gasoline and wood onto it.
lol - great, actually, let's hope it is, that's so much easier to manage
I've sited 3 different things, along with @IRJ
the guileline outlined in my post says "Must install and maintain Firewall"Nothing about a managed firewall.
That's what all of us understand to be the requirement as well. We deal with PCI all the time, and this is the first I've heard of someone who thought a managed firewall was a requirement (or even a recommendation, normally managed firewalls are a huge risk.)
PCI guidelines are not like HIPAA, they are about actual security for the private sector. So generally you can predict what they will be because PCI is really just pushing for industry standard practices to not be overlooked. If something smells fishy, assume it is.
-
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
well now that I know more about it, I can shake my head when they hire a company to manage the firewall..
I spoke up earlier and said I'd do it but they'd have to pay me to do it.. that was shut down quickly.Why would they have to pay you differently than they are now? You are already being paid. You're hourly, if you are working on the firewall, you're just getting your normal hourly rate. Just like the rest of us here.
That's outside of my Job as a Point of Sale tech.
We dont even sell firewalls anymore.That's never a valid answer. You are paid by the hour, there is no "scope" of work like that because doing extra work automatically means extra pay. That you don't sell firewalls isn't here nor there.
That there is no training or expertise or resources makes it unreasonable for them to expect you to have skills that they didn't ask you for or provide you a way to obtain, but you are already properly compensated for this. It's handled by the scope of the hourly work.
-
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
Thanks for the heads up.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
-
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
oh, I understand that.
It's common sense ; -
@WrCombs said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
Exactly as you would expect it to say... nothing stupid like "Managed Firewall".
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
All of the requirements, the real ones, are low effort, easily accomplished, and have no political agenda. They result in straight security practices, not in pushing you to specific vendors, products, etc. Nor do they encourage odd or bad behaviour. They are simple, and basic allowing you room to interpret based on what would actually be good security for your specific environment.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
All of the requirements, the real ones, are low effort, easily accomplished, and have no political agenda. They result in straight security practices, not in pushing you to specific vendors, products, etc. Nor do they encourage odd or bad behaviour. They are simple, and basic allowing you room to interpret based on what would actually be good security for your specific environment.
Oh yeah, that makes sense.
-
Check out Fortigate product. FortiNet offers documentation on setup of their firewalls for PCI DSS compliance:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-compliance/PCI-DSS.htm?Highlight=PCI
They office a subscription service whereby they manage patches/updates for their firewalls as well as monitoring (specifically, Logging, to me it really isn't monitoring) in order to match the "managed firewall" checkbox. Now, I only have a little experience with Fortigate's as we just installed one in our data center as we have a customer requesting us to be compliant (for no apparent reason other than they want us to be, we do not store credit card data and do any processing via https web site)
