From: Dobbins, Roland (rdobbinsarbor.net)
Date: Tue May 10 2011 - 01:47:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On May 10, 2011, at 1:40 PM, Tracy Reed wrote:

> If you have traffic going out to a high numbered port and you are not keeping state how do you know if that is a
> reply packet to an existing inbound connection or if it is an unauthorized outbound connection?

You use stateless ACLs to filter outbound traffic as well, only allowing traffic originating from required well-known ports to ephemeral high ports. This is a basic network access policy Best Current Practice (BCP). 'Client-side' traffic originating from the server, such as DNS lookups and so forth, should be channeled through a completely different NIC on a completely different, isolated segment with proxies and so forth. And all management access should take place via an OOB/DCN management network, on yet another NIC/segment.

And mod_security will pass PCI DSS audits just fine.

As PayPal's head of opsec was quoted recently, PCI DSS is too vague in many places, and is overly-specific in others. It should be re-factored to an outcomes-based model, IMHO.

-----------------------------------------------------------------------
Roland Dobbins <rdobbinsarbor.net> // <http://www.arbornetworks.com>

                The basis of optimism is sheer terror.

                          -- Oscar Wilde

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]