[rhn-users] PCI Compliant Server Updates
J E
jef_umd at umd.umich.edu
Fri Nov 21 19:57:14 UTC 2008
I'm still trying to sort out how systems are supposed to do IP
authorizations over SSL with the way some of the standards are worded
(such as 1.3.5 requiring outbound traffic to only access IP addresses
within the DMZ.) As for using a proxy, I've heard some interpretation
that ANY system that touches the cardholder data environment then
falls under PCI scope, meaning that *it* wouldn't be able to access
the internet directly, either. PCI is a big mess, and while the
vagaries make it so that you aren't too restricted, it also leaves a
lot of holes for interpretation.
That being said, is a local satellite server in your budget? We've
decided to get one here locally for other reasons (my PCI systems are
still Solaris at the moment), but I see having a local Sat. system as
being one more plus in keeping traffic outside to a minimum.
jef
On Nov 21, 2008, at 7:05 AM, Andy Loughran wrote:
> Guys,
>
> I have a a cluster of 3 Servers.. two are CentOS, and one is RHEL5
> ( the
> DB server). Due to PCI regulations the DB server cannot have any
> direct
> access to the internet (inbound, or outbound).
>
> Do you think the best practice would be to run a reverse-proxy from
> the
> firewall CentOS machine to the rhn update servers, then connect the DB
> to that.. or do RHEL have a more sophisticated method. (As I doubt I'm
> the only one person running a PCI compliant RHEL5 server).
>
> Looking forward to responses.
>
> Regards,
>
> Andy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/rhn-users/attachments/20081121/46defd7e/attachment.htm>
More information about the rhn-users
mailing list