Solved

PCI Compliance vs legacy services

Posted on 2014-12-17
5
22 Views
Last Modified: 2016-11-23
I administrate for a network that just this year started being required to meet PCI compliance. We signed up with a cloud-based security scanning service, which finds issues with a couple different servers, both boiling down to the machines being out of date. One is an Xserve running OS X Server (10.5 Leopard), the other is a Dell PowerEdge running Windows Server 2003. Both have all available updates/patches, both are no longer supported or updated by their manufacturer any more. Our firewall is a Checkpoint Safe@Office 500.

These machines run services that the company and clients use, I can't just turn off the relative port forwards on the firewall to satisfy reported compliance scan vulnerabilities. Budget constraints do not allow us to purchase updated servers/software, so I'm seeking alternate firewall configuration suggestions (if possible) for keeping these machines' available to LAN and WAN users, while satisfying issues identified in the compliance reports.
0
Comment
Question by:benjaminrobertson
5 Comments
 
LVL 5

Accepted Solution

by:
Sean Jackson earned 250 total points
ID: 40505278
IT needs to have a budget that can stay current. At least to buy a new server and license for the software.  If that falls outside of the budgetary constraints, I don't know how you can hope to stay PCI compliant, let alone secure.
0
 
LVL 10

Expert Comment

by:Schuyler Dorsey
ID: 40507215
Sean is correct.

We can certainly offer additional mitigating controls to help you be more secure but none of these will help you be more compliant against PCI.

At the end of the day, End of Life software/systems is going to be one of your biggest risks in terms of security and availability.
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 250 total points
ID: 40510805
And by the way, there's no way of offering a service (=opening an port) and having it secure but to patch the software that the service belongs to. Using a firewall would offer to look at what IP is coming in (would need a whitelist of IPs/IP ranges) or, if IPsec is used, even what users are accessing the port - but that would require another user whitelist, certicate setup and so forth.

Even if you had that firewall setup optimally like mentioned, you would still be vulnerable because those users you permit could attack the services to extend their privileges. Again, only patching would mitigate this.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now