RE: PCI / AV / Linux DB Servers

From: Uzzell, Stephan <SUzzell_at_MICROS.COM>
Date: Fri, 31 Jan 2014 22:16:17 +0000
Message-ID: <bd1c4d18a3f540669c8494af80338d0c_at_USMAIL2K1303.us.micros.int>

Hi Dimitre (and as a followup to what Tim suggested),

The problem Is apparently not the network zoning - apparently all of that exists. The problem is that we have since long before PCI had a standard of allowing access to our DB servers more broadly than we ought. Scaling that back is going to be the challenge, and until and unless that changes, making it through PCI certification is going to be a special level of fun.

I do want to thank everyone who contributed - even if only a sense of horror at our current setup - you've helped confirm we (the DBAs) are pointing in the direction we ought...

Stephan Uzzell

From: Radoulov, Dimitre [mailto:cichomitiko_at_gmail.com] Sent: Friday, 31 January, 2014 17:05
To: Uzzell, Stephan
Cc: oracle-l_at_freelists.org
Subject: Re: PCI / AV / Linux DB Servers

Hi Stephan,

On 31/01/2014 18:23, Uzzell, Stephan wrote: That's something we've discussed. However, we have some application servers (multi-customer environment) where the application servers are available via public internet. This is primarily for customers that are not large enough to invest in MPLS or a VPN. While we are absolutely on board with removing the internet access from our DB servers, I don't think we can cut the entire datacenter off.... So with some servers necessarily exposed, how do we protect the DB servers (my area of concern)?

I've never seen a corporate data center directly exposed on Internet, but that's only my personal experience. I'm not a network & security guy, but as Tim already pointed out, the first security layer is usually the DMZ and where external-facing services are exposed through modern network devices that combine security, load balancing, content switching, SSL acceleration and IDS (Intrusion Detection System). Access is usually permitted by exact server:port-to-server:port mapping and there are often additional firewalls between FE and BE.
And that's not all. Every server is hardened at OS level, with the principal of least privilege in mind. Regarding your last question, in a nutshell, only trusted hosts should have access to your database servers. If the cost of the specialized hardware is considered too high (?!), the bare minimum I can think of, is to use the OS native tools like SeLinux and IPTables.

Regards
Dimitre

--
http://www.freelists.org/webpage/oracle-l

Received on Fri Jan 31 2014 - 23:16:17 CET

This message: [ Message body ]
Next message: Hans Forbrich: "Re: PCI / AV / Linux DB Servers"
Previous message: Radoulov, Dimitre: "Re: PCI / AV / Linux DB Servers"
In reply to: Radoulov, Dimitre: "Re: PCI / AV / Linux DB Servers"
Next in thread: Hans Forbrich: "Re: PCI / AV / Linux DB Servers"
Reply: Hans Forbrich: "Re: PCI / AV / Linux DB Servers"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]

Original text of this message