Solved

PCI Compliance vs legacy services

Posted on 2014-12-17
5
21 Views
Last Modified: 2016-11-23
I administrate for a network that just this year started being required to meet PCI compliance. We signed up with a cloud-based security scanning service, which finds issues with a couple different servers, both boiling down to the machines being out of date. One is an Xserve running OS X Server (10.5 Leopard), the other is a Dell PowerEdge running Windows Server 2003. Both have all available updates/patches, both are no longer supported or updated by their manufacturer any more. Our firewall is a Checkpoint Safe@Office 500.

These machines run services that the company and clients use, I can't just turn off the relative port forwards on the firewall to satisfy reported compliance scan vulnerabilities. Budget constraints do not allow us to purchase updated servers/software, so I'm seeking alternate firewall configuration suggestions (if possible) for keeping these machines' available to LAN and WAN users, while satisfying issues identified in the compliance reports.
0
Comment
Question by:benjaminrobertson
5 Comments
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 250 total points
ID: 40505278
IT needs to have a budget that can stay current. At least to buy a new server and license for the software.  If that falls outside of the budgetary constraints, I don't know how you can hope to stay PCI compliant, let alone secure.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507215
Sean is correct.

We can certainly offer additional mitigating controls to help you be more secure but none of these will help you be more compliant against PCI.

At the end of the day, End of Life software/systems is going to be one of your biggest risks in terms of security and availability.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40510805
And by the way, there's no way of offering a service (=opening an port) and having it secure but to patch the software that the service belongs to. Using a firewall would offer to look at what IP is coming in (would need a whitelist of IPs/IP ranges) or, if IPsec is used, even what users are accessing the port - but that would require another user whitelist, certicate setup and so forth.

Even if you had that firewall setup optimally like mentioned, you would still be vulnerable because those users you permit could attack the services to extend their privileges. Again, only patching would mitigate this.
0

Featured Post

Free camera licenses with purchase of My Cloud NAS

Milestone Arcus software is compatible with thousands of industry-leading cameras for added flexibility. Upon installation on your My Cloud NAS, you will receive two (2) camera licenses already enabled in the software. And for a limited time, get additional camera licenses FREE.

Join & Write a Comment

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now