Specifically what I am taking issue with is the clarification around network segmentation. The title of the slide is:
"What are acceptable forms of Network Segementation?"
Then the slide describes Cisco access control lists.
Right.
Think I'm nuts? The slide goes on further to give the following example:
access-list 100 deny ip 10.0.0.0 0.255.255.255 any logaccess-list 100 deny ip 127.0.0.0 0.255.255.255 any logetc...
Another interesting sub bulletpoint is "Confirm audit logging is in place for all access to segmented network," suggesting that there are cases wherein you would not only be exclusively using ACLs, but that you may create specific ACLs which allow access to the "protected" network from the unprotected interface.
Translated:
"Cisco ACLs are effective protection for the cardholder environment, and if you need to make exceptions to your already bad security practice by allowing administrative traffic in from the outside, then go ahead."
Its any wonder that compliance numbers grow every year, and so do the number of compromises.
No comments:
Post a Comment