Avatar of ocpshehzad
ocpshehzad
 asked on

Firewall settings for PCI Compliance

Dear Experts,

1. we are scanning our to check PCI Compliance of our server.

2. one of the reported vulnerability is dealing with firewall. below is the exact description of the issue:
Title: TCP reset using approximate sequence number Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections. Resolution: To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp- nonios.shtml] non-IOS operating systems. Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes. If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them. Risk Factor: Medium/ CVSS2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: CVE-2004-0230 BID: 10183

3. what firewall setting will be good to avoid this issue??
fyi, i am running Centos6 with Plesk panel
Linux DistributionsSoftware Firewalls

Avatar of undefined
Last Comment
ArneLovius

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
ArneLovius

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
ocpshehzad

ASKER
i dont have any access to hardware-firewall, i have Plesk 10, from where i can define firewall rules
ArneLovius

I think you are missing the point.

To meet PCI compliance, you MUST have an external firewall.

In a virtual environment, you might be able to argue the case that the firewall is also virtualised, but the firewall that you can configure in Plesk on Centos is only a packet filter, it does not do "stateful inspection".
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck