Solved

PCI Compliance vs legacy services

Posted on 2014-12-17
5
25 Views
Last Modified: 2016-11-23
I administrate for a network that just this year started being required to meet PCI compliance. We signed up with a cloud-based security scanning service, which finds issues with a couple different servers, both boiling down to the machines being out of date. One is an Xserve running OS X Server (10.5 Leopard), the other is a Dell PowerEdge running Windows Server 2003. Both have all available updates/patches, both are no longer supported or updated by their manufacturer any more. Our firewall is a Checkpoint Safe@Office 500.

These machines run services that the company and clients use, I can't just turn off the relative port forwards on the firewall to satisfy reported compliance scan vulnerabilities. Budget constraints do not allow us to purchase updated servers/software, so I'm seeking alternate firewall configuration suggestions (if possible) for keeping these machines' available to LAN and WAN users, while satisfying issues identified in the compliance reports.
0
Comment
Question by:benjaminrobertson
5 Comments
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 250 total points
ID: 40505278
IT needs to have a budget that can stay current. At least to buy a new server and license for the software.  If that falls outside of the budgetary constraints, I don't know how you can hope to stay PCI compliant, let alone secure.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507215
Sean is correct.

We can certainly offer additional mitigating controls to help you be more secure but none of these will help you be more compliant against PCI.

At the end of the day, End of Life software/systems is going to be one of your biggest risks in terms of security and availability.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40510805
And by the way, there's no way of offering a service (=opening an port) and having it secure but to patch the software that the service belongs to. Using a firewall would offer to look at what IP is coming in (would need a whitelist of IPs/IP ranges) or, if IPsec is used, even what users are accessing the port - but that would require another user whitelist, certicate setup and so forth.

Even if you had that firewall setup optimally like mentioned, you would still be vulnerable because those users you permit could attack the services to extend their privileges. Again, only patching would mitigate this.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco VPN client v5 migration to Anyconnect VPN? 8 52
Setup another VLAN on Fortigate 3 30
Internet link load balancer 6 65
Server 2016 installation on Dell r720 12 27
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
One of the biggest threats facing all high-value targets are APT's.  These threats include sophisticated tactics that "often starts with mapping human organization and collecting intelligence on employees, who are nowadays a weaker link than network…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question