Solved

PCI Compliance vs legacy services

Posted on 2014-12-17
5
27 Views
Last Modified: 2016-11-23
I administrate for a network that just this year started being required to meet PCI compliance. We signed up with a cloud-based security scanning service, which finds issues with a couple different servers, both boiling down to the machines being out of date. One is an Xserve running OS X Server (10.5 Leopard), the other is a Dell PowerEdge running Windows Server 2003. Both have all available updates/patches, both are no longer supported or updated by their manufacturer any more. Our firewall is a Checkpoint Safe@Office 500.

These machines run services that the company and clients use, I can't just turn off the relative port forwards on the firewall to satisfy reported compliance scan vulnerabilities. Budget constraints do not allow us to purchase updated servers/software, so I'm seeking alternate firewall configuration suggestions (if possible) for keeping these machines' available to LAN and WAN users, while satisfying issues identified in the compliance reports.
0
Comment
Question by:benjaminrobertson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 250 total points
ID: 40505278
IT needs to have a budget that can stay current. At least to buy a new server and license for the software.  If that falls outside of the budgetary constraints, I don't know how you can hope to stay PCI compliant, let alone secure.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507215
Sean is correct.

We can certainly offer additional mitigating controls to help you be more secure but none of these will help you be more compliant against PCI.

At the end of the day, End of Life software/systems is going to be one of your biggest risks in terms of security and availability.
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40510805
And by the way, there's no way of offering a service (=opening an port) and having it secure but to patch the software that the service belongs to. Using a firewall would offer to look at what IP is coming in (would need a whitelist of IPs/IP ranges) or, if IPsec is used, even what users are accessing the port - but that would require another user whitelist, certicate setup and so forth.

Even if you had that firewall setup optimally like mentioned, you would still be vulnerable because those users you permit could attack the services to extend their privileges. Again, only patching would mitigate this.
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question