PCI Compliance vs legacy services

I administrate for a network that just this year started being required to meet PCI compliance. We signed up with a cloud-based security scanning service, which finds issues with a couple different servers, both boiling down to the machines being out of date. One is an Xserve running OS X Server (10.5 Leopard), the other is a Dell PowerEdge running Windows Server 2003. Both have all available updates/patches, both are no longer supported or updated by their manufacturer any more. Our firewall is a Checkpoint Safe@Office 500.

These machines run services that the company and clients use, I can't just turn off the relative port forwards on the firewall to satisfy reported compliance scan vulnerabilities. Budget constraints do not allow us to purchase updated servers/software, so I'm seeking alternate firewall configuration suggestions (if possible) for keeping these machines' available to LAN and WAN users, while satisfying issues identified in the compliance reports.
benjaminrobertsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sean JacksonInformation Security AnalystCommented:
IT needs to have a budget that can stay current. At least to buy a new server and license for the software.  If that falls outside of the budgetary constraints, I don't know how you can hope to stay PCI compliant, let alone secure.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Schuyler DorseyCommented:
Sean is correct.

We can certainly offer additional mitigating controls to help you be more secure but none of these will help you be more compliant against PCI.

At the end of the day, End of Life software/systems is going to be one of your biggest risks in terms of security and availability.
0
McKnifeCommented:
And by the way, there's no way of offering a service (=opening an port) and having it secure but to patch the software that the service belongs to. Using a firewall would offer to look at what IP is coming in (would need a whitelist of IPs/IP ranges) or, if IPsec is used, even what users are accessing the port - but that would require another user whitelist, certicate setup and so forth.

Even if you had that firewall setup optimally like mentioned, you would still be vulnerable because those users you permit could attack the services to extend their privileges. Again, only patching would mitigate this.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Vulnerabilities

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.