topic PCI and WSUS in General Topics

PCI and WSUS

Gerry_RH — Tue, 02 Oct 2012 13:50:49 GMT

I need to create rules for a PCI firewall for a WSUS server. Microsoft does not publish IP's for their update points so this is problematic on a PCI firewall (or it seems to me). I can either:

1) create a rule which allows the server out to "any" using port 80 and 443

2) use url filtering (I'm new to the box and it seems this opens the network to all traffic outbound for 80 and 443)

3) try to devise a rule which will allow the server to go out using only the "url's" given by Microsoft

It's my understanding that you can't (aren't supposed to open traffic inbound/outbound for PCI for "any" so solution 1 seems not doable. Has anyone been able to create/solve this so as to meet PCI rules and if so how? (I'm using 5020's btw)

Re: PCI and WSUS

msullivan — Tue, 02 Oct 2012 15:35:38 GMT

There is an application type "ms-update", so as long as DNS is trustworthy, you can use that application in a rule:

Allow updates {

from [ trusted];

to [untrusted];

source [ any ];

destination [ any]; <--- you could setup internal wsus servers

service [ application-default ];

application [ ms-update web-browsing ]; <--- it is dependant on web-browsing

action allow;

log-end yes;

disabled no;

option {

disable-server-response-inspection no;

}

source-user [ any ];

category [ any ];

hip-profiles [ any ];

log-start no;

description Access windows update;

negate-source no;

negate-destination no;

tag [ ];

log-setting ;

}

Of course you'll need an outbound nat as well.

Back to PCI, you should consider setting up internal WSUS and use GPOs to point internal servers at it. Then you don't have to worry about PCI scoped servers running off leash in the Internet.

Cheers,

Mike

Re: PCI and WSUS

mharding — Tue, 02 Oct 2012 16:33:01 GMT

I second the internal WSUS server. Much easier to work with Internally.

Re: PCI and WSUS

Gerry_RH — Tue, 02 Oct 2012 20:34:32 GMT

thank you very much msullivan, I had looked in the apps before but looked for things like "windows update" and "wsus;" never thought to look for just that. That did the trick and we are able to get out and trouble shoot the rest of the stream. Again thank you for your timely response!

Gerry

Re: PCI and WSUS

msullivan — Tue, 02 Oct 2012 20:44:49 GMT

Your welcome Gerry,

BTW, check out Application Research Center for lots of app-id goodness.

Cheers,

Mike