Link to home
Start Free TrialLog in
Avatar of ocpshehzad
ocpshehzad

asked on

Firewall settings for PCI Compliance

Dear Experts,

1. we are scanning our to check PCI Compliance of our server.

2. one of the reported vulnerability is dealing with firewall. below is the exact description of the issue:
Title: TCP reset using approximate sequence number Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections. Resolution: To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp- nonios.shtml] non-IOS operating systems. Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes. If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them. Risk Factor: Medium/ CVSS2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: CVE-2004-0230 BID: 10183

3. what firewall setting will be good to avoid this issue??
fyi, i am running Centos6 with Plesk panel
ASKER CERTIFIED SOLUTION
Avatar of ArneLovius
ArneLovius
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of ocpshehzad
ocpshehzad

ASKER

i dont have any access to hardware-firewall, i have Plesk 10, from where i can define firewall rules
I think you are missing the point.

To meet PCI compliance, you MUST have an external firewall.

In a virtual environment, you might be able to argue the case that the firewall is also virtualised, but the firewall that you can configure in Plesk on Centos is only a packet filter, it does not do "stateful inspection".