WTF is a Managed Firewall?
-
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
Thanks for the heads up.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
-
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
oh, I understand that.
It's common sense ; -
@WrCombs said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
Exactly as you would expect it to say... nothing stupid like "Managed Firewall".
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
All of the requirements, the real ones, are low effort, easily accomplished, and have no political agenda. They result in straight security practices, not in pushing you to specific vendors, products, etc. Nor do they encourage odd or bad behaviour. They are simple, and basic allowing you room to interpret based on what would actually be good security for your specific environment.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
All of the requirements, the real ones, are low effort, easily accomplished, and have no political agenda. They result in straight security practices, not in pushing you to specific vendors, products, etc. Nor do they encourage odd or bad behaviour. They are simple, and basic allowing you room to interpret based on what would actually be good security for your specific environment.
Oh yeah, that makes sense.
-
Check out Fortigate product. FortiNet offers documentation on setup of their firewalls for PCI DSS compliance:
https://help.fortinet.com/fos60hlp/60/Content/FortiOS/fortigate-compliance/PCI-DSS.htm?Highlight=PCI
They office a subscription service whereby they manage patches/updates for their firewalls as well as monitoring (specifically, Logging, to me it really isn't monitoring) in order to match the "managed firewall" checkbox. Now, I only have a little experience with Fortigate's as we just installed one in our data center as we have a customer requesting us to be compliant (for no apparent reason other than they want us to be, we do not store credit card data and do any processing via https web site)
