WTF is a Managed Firewall?
-
@JaredBusch said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@JaredBusch said in WTF is a Managed Firewall?:
https://www.pcisecuritystandards.org/pci_security/glossary#F
https://www.pcisecuritystandards.org/pci_security/glossary#M
this - @WrCombs this is what you take to your boss and say - these are the PCI compliance requirements, the thing you have to follow. Since this says nothing about a managed firewall, then you don't need to worry about 'managed' firewall from a PCI POV... now the processor might have their own additional shit you have to worry about.. but get that crap in writing so you know exactly what they expect from you.... that should have been part of the agreement your company signed when they started using the processor.
Oh - and thank JB for finding that for you - that's what I was edging you to do on your own - helping you learn research - JB's kinda a god at finding documentation...
I Literally found 4 documents that said the exact same thing. . . all of which came from the PCI site.
But Thanks @JaredBusch for posting it.
Nothing you linked was from the official website for the PCI Security Standards Council
Because I got busy with calls I didn't have the chance to post it.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
I Literally found 4 documents that said the exact same thing. . . all of which came from the PCI site.
They listed a requirement?
That was in reply to my comment that @WrCombs wasn't posting links to the official PCI documentation, but instead to random blogs around the inter-webs.
-
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
would a managed firewall mean : A firewall that is maintained? such as firmware updates?
if so then any firewall would be a "managed Firewall" ...that's my take on it.
Can you post the specific rule from PCI that this is in regard to?
the rule that I was told during a class::
To be PCI Compliant you have to have a Managed firewall with regular firmware / software updates as often as they come out.
Don't care about what you were 'told.' Go look it up yourself... then you'll know what the actual rule states.
I pulled that from my notes from that class ...
Right. But the majority of teachers and cheap class material is fake. Classes can be good, but be prepared that people who teach that stuff rarely have any idea what they are teaching and no one cares. Your company bought the class and didn't look into the credibility, for example. So why woudl the teacher spend time getting the info right?
The class is likely just a scam money grab, as is most stuff in this space. Be prepared to consider "authoritative sources" and common sense in these matters. PCI doesn't have this requirement, and common sense says it's not reasonable for PCI to have it as it has nothing to do with security.
Learning to recognize teachers, mentors, bosses that don't know the basics is an important part of the job. Remember... the average person in the industry doesn't have the slightest clue, and can't let on to that without risking losing their jobs. Most people only keep their jobs by acting like they know to non-technical managers who never vet them.
-
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
well now that I know more about it, I can shake my head when they hire a company to manage the firewall..
I spoke up earlier and said I'd do it but they'd have to pay me to do it.. that was shut down quickly.Why would they have to pay you differently than they are now? You are already being paid. You're hourly, if you are working on the firewall, you're just getting your normal hourly rate. Just like the rest of us here.
Right, hourly rates mean you never need to ask for money until you are renegotiating your hourly rate.
A managed firewall is like a $10/mo item. It's dirt cheap from a third party.
-
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
well now that I know more about it, I can shake my head when they hire a company to manage the firewall..
I spoke up earlier and said I'd do it but they'd have to pay me to do it.. that was shut down quickly.Why would they have to pay you differently than they are now? You are already being paid. You're hourly, if you are working on the firewall, you're just getting your normal hourly rate. Just like the rest of us here.
That's outside of my Job as a Point of Sale tech.
We dont even sell firewalls anymore. -
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
-
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That page is purely a glossary on a product advertising list, not a list of requirements. If you go into the directory tree, it's not telling you information about PCI requirements at all.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
-
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@DustinB3403 said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
This is still not the actual PCI compliance regulation...
To be fair the actual regulation could state that you need a literal wall of fire being managed by someone who keeps it burning by throwing gasoline and wood onto it.
lol - great, actually, let's hope it is, that's so much easier to manage
I've sited 3 different things, along with @IRJ
the guileline outlined in my post says "Must install and maintain Firewall"Nothing about a managed firewall.
That's what all of us understand to be the requirement as well. We deal with PCI all the time, and this is the first I've heard of someone who thought a managed firewall was a requirement (or even a recommendation, normally managed firewalls are a huge risk.)
PCI guidelines are not like HIPAA, they are about actual security for the private sector. So generally you can predict what they will be because PCI is really just pushing for industry standard practices to not be overlooked. If something smells fishy, assume it is.
-
@WrCombs said in WTF is a Managed Firewall?:
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
well now that I know more about it, I can shake my head when they hire a company to manage the firewall..
I spoke up earlier and said I'd do it but they'd have to pay me to do it.. that was shut down quickly.Why would they have to pay you differently than they are now? You are already being paid. You're hourly, if you are working on the firewall, you're just getting your normal hourly rate. Just like the rest of us here.
That's outside of my Job as a Point of Sale tech.
We dont even sell firewalls anymore.That's never a valid answer. You are paid by the hour, there is no "scope" of work like that because doing extra work automatically means extra pay. That you don't sell firewalls isn't here nor there.
That there is no training or expertise or resources makes it unreasonable for them to expect you to have skills that they didn't ask you for or provide you a way to obtain, but you are already properly compensated for this. It's handled by the scope of the hourly work.
-
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
and this one says:
https://www.pcidss.com/listing-category/managed-firewall-services/A managed firewall service provides an outsourced, specialist function that configures and maintains firewalls. This provider ensures correct and secure functionality of firewalls, typically on a 24/7 basis from a PCI DSS compliant Secure Operations Centre (SOC).
That site is full of cookies, but doesnt' ask permissions... and their SSL cert doesn't cover the whole site!
This was before I went to the PCI Site.
Gotcha. Just a heads up that you had a browser full of red flags as to that site not being legit. Their glossary of a random term was accurate. But other than that, it's just a random site advertising to people looking for PCI info. Nothing on the site is useful to you, regardless of having been to the PCI site or not. It's an invalid resource just in general.
Thanks for the heads up.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
-
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
-
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
-
@Dashrender said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
Well - according to Scott - these are pretty much common sense things, and not doing them while claiming to be an IT professional would be professional negligence.
oh, I understand that.
It's common sense ; -
@WrCombs said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Install and maintain a firewallThat's the requirement
Exactly as you would expect it to say... nothing stupid like "Managed Firewall".
-
@WrCombs said in WTF is a Managed Firewall?:
@scottalanmiller said in WTF is a Managed Firewall?:
@WrCombs said in WTF is a Managed Firewall?:
from https://www.pcisecuritystandards.org/pci_security/maintaining_payment_security
Yeah... all straightforward, common sense, appropriate stuff that would qualify as serious negligence regardless of PCI.
how?
All of the requirements, the real ones, are low effort, easily accomplished, and have no political agenda. They result in straight security practices, not in pushing you to specific vendors, products, etc. Nor do they encourage odd or bad behaviour. They are simple, and basic allowing you room to interpret based on what would actually be good security for your specific environment.
