Firewall settings for PCI Compliance

ocpshehzad
ocpshehzad used Ask the Experts™
on
Dear Experts,

1. we are scanning our to check PCI Compliance of our server.

2. one of the reported vulnerability is dealing with firewall. below is the exact description of the issue:
Title: TCP reset using approximate sequence number Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections. Resolution: To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp- nonios.shtml] non-IOS operating systems. Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes. If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them. Risk Factor: Medium/ CVSS2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE: CVE-2004-0230 BID: 10183

3. what firewall setting will be good to avoid this issue??
fyi, i am running Centos6 with Plesk panel
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You have let us know the operating system, but not the firewall.

I can only presume that you are running the server directly connected to the Internet.

To meet
"Stateful inspection" devices separating the Internet from the cardholder environment"

You need a firewall that is external to the server. The firewall on the server is not able to meet this requirement.

Author

Commented:
i dont have any access to hardware-firewall, i have Plesk 10, from where i can define firewall rules
I think you are missing the point.

To meet PCI compliance, you MUST have an external firewall.

In a virtual environment, you might be able to argue the case that the firewall is also virtualised, but the firewall that you can configure in Plesk on Centos is only a packet filter, it does not do "stateful inspection".

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial