Debian Linux firewall pci dss

anaconda · 06-04-2011, 05:58 AM

Folloei
Following are security policies for PCI DSS -

FTP services are not allowed from External zone to PCI zone.
TFTP services are not allowed from External zone to PCI zone.
DNS services are not allowed from External zone to PCI zone.
Mail services are not allowed from External zone to PCI zone.
HTTP services are not allowed from DMZ zone to PCI zone.
FTP services are not allowed from DMZ zone to PCI zone.
TFTP services are not allowed from DMZ zone to PCI zone.
Mail services are not allowed from DMZ zone to PCI zone.
Netbios services are not allowed from External zone to PCI zone.
Microsoft RPC services are not allowed from External zone to PCI zone.
Microsoft directory services are not allowed from External zone to PCI zone.
Netbios services are not allowed from DMZ zone to PCI zone.
Microsoft RPC services are not allowed from DMZ zone to PCI zone.
Microsoft directory services are not allowed from DMZ zone to PCI zone.
Netbios services are not allowed from PCI zone to External zone.
Microsoft RPC services are not allowed from PCI zone to External zone.
Microsoft directory services are not allowed from PCI zone to External zone.
Netbios services are not allowed from PCI zone to DMZ zone.
Microsoft RPC services are not allowed from PCI zone to DMZ zone.
Microsoft directory services are not allowed from PCI zone to DMZ zone.
Traceroute is not allowed to enter the PCI zone from the External zone.
Traceroute is not allowed to enter the PCI zone from DMZ zone.
Packets with TCP/UDP high ports are not allowed to enter the PCI zone from DMZ zone.
NFS services are not allowed from External zone to PCI zone.
X11 services are not allowed from External zone to PCI zone.
Telnet services are not allowed from External zone to PCI zone.
MSSQL services are not allowed from External zone to PCI zone.
R services are not allowed from External zone to PCI zone.
Fingers service are not allowed from External zone to PCI zone.
NFS services are not allowed from DMZ zone to PCI zone.
X11 services are not allowed from DMZ zone to PCI zone.
P2P file-sharing services are not allowed from DMZ zone to PCI zone.
Instant message services are not allowed from DMZ zone to PCI zone.
Telnet services are not allowed from DMZ zone to PCI zone.
MSSQL services are not allowed from DMZ zone to PCI zone.
R services are not allowed from DMZ zone to PCI zone.
Finger service is not allowed from DMZ zone to PCI zone.
FTP services are not allowed from PCI zone to External zone.
TFTP services are not allowed from PCI zone to External zone.
Telnet services are not allowed from PCI zone to External zone.
Instant message services are not allowed from PCI zone to External zone.
R services are not allowed from PCI zone to External zone.
NFS services are not allowed from PCI zone to External zone.
X11 services are not allowed from PCI zone to External zone.
Database services are not allowed from DMZ zone to PCI zone.

How can some of these be implemented in Debian Linux?

Noway2 · 06-04-2011, 06:33 AM

PCI-DSS is a complex and comprehensive subject and your question only covers a small part of it. Your above list is predominately a list of services with known port numbers, which as the list says these services should remain blocked at least between network zones. This can be accomplished using the built in Linux firewall, iptables. As a general policy one should not open ports unless the services are required and as a backup use a firewall to ensure that they don't get opened inadvertently. To answer your direct question, as to whether or not they can be implemented in Debian, the answer is yes. If you have a network set up with zones, like a PCI zone, a DMZ, and a public facing zone, with switches and routers, you should also consider partitioning into vlans and writing access control rules to only allow designated traffic from one zone/vlan to another.

anaconda · 06-04-2011, 06:57 AM

Respected sir,

Is it possible to give sample configuration for some of the services in debian Linux.especially how would you do for Netbios service,Microsoft RPS service,mail service,Microsoft directory service.Others can be configured using standard rules like
Filtering P2P network traffic with ipp2p or any other thing is required ?

Thanking you,
Suhas Aggarwal

Noway2 · 06-04-2011, 07:46 AM

Here is a link to an excellent tutorial on iptables: http://bodhizazen.net/Tutorials/iptables It will show you examples of how to perform this function. The gist of it is to keep your ports blocked by default and then write white-list rules to allow only the desired traffic. You can fine tune the rules to allow connections only from a specific host or subnet too.

To give you another example, here is part of my firewall rule set (note, I am not certifying for PCI-DSS):

Code:

-A INPUT -p tcp -m multiport --dports 25,465 -j fail2ban-postfix
-A INPUT -j blacklist
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -j DROP

As you can see, the final rule is DROP. If the traffic does not match one of the above rule patterns, it gets dumped. Therefore, things like Microsoft RPC services get blocked. You can also filter ICMP traffic to remove or restrict activity like PING or other error messaging. For example, I allow PING:

Code:

-A INPUT -s <my CIDR Range> -p icmp -m icmp --icmp-type 8 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

win32sux · 06-04-2011, 10:40 AM

+1 from me on the implied suggestion to abstain from writing rules for each of the listed requirements, and simply block everything while adding exceptions as needed instead.