10-02-2012 06:50 AM
I need to create rules for a PCI firewall for a WSUS server. Microsoft does not publish IP's for their update points so this is problematic on a PCI firewall (or it seems to me). I can either:
1) create a rule which allows the server out to "any" using port 80 and 443
2) use url filtering (I'm new to the box and it seems this opens the network to all traffic outbound for 80 and 443)
3) try to devise a rule which will allow the server to go out using only the "url's" given by Microsoft
It's my understanding that you can't (aren't supposed to open traffic inbound/outbound for PCI for "any" so solution 1 seems not doable. Has anyone been able to create/solve this so as to meet PCI rules and if so how? (I'm using 5020's btw)
10-02-2012 08:35 AM
There is an application type "ms-update", so as long as DNS is trustworthy, you can use that application in a rule:
Allow updates {
from [ trusted];
to [untrusted];
source [ any ];
destination [ any]; <--- you could setup internal wsus servers
service [ application-default ];
application [ ms-update web-browsing ]; <--- it is dependant on web-browsing
action allow;
log-end yes;
disabled no;
option {
disable-server-response-inspection no;
}
source-user [ any ];
category [ any ];
hip-profiles [ any ];
log-start no;
description Access windows update;
negate-source no;
negate-destination no;
tag [ ];
log-setting ;
}
Of course you'll need an outbound nat as well.
Back to PCI, you should consider setting up internal WSUS and use GPOs to point internal servers at it. Then you don't have to worry about PCI scoped servers running off leash in the Internet.
Cheers,
Mike
10-02-2012 08:35 AM
There is an application type "ms-update", so as long as DNS is trustworthy, you can use that application in a rule:
Allow updates {
from [ trusted];
to [untrusted];
source [ any ];
destination [ any]; <--- you could setup internal wsus servers
service [ application-default ];
application [ ms-update web-browsing ]; <--- it is dependant on web-browsing
action allow;
log-end yes;
disabled no;
option {
disable-server-response-inspection no;
}
source-user [ any ];
category [ any ];
hip-profiles [ any ];
log-start no;
description Access windows update;
negate-source no;
negate-destination no;
tag [ ];
log-setting ;
}
Of course you'll need an outbound nat as well.
Back to PCI, you should consider setting up internal WSUS and use GPOs to point internal servers at it. Then you don't have to worry about PCI scoped servers running off leash in the Internet.
Cheers,
Mike
10-02-2012 09:33 AM
I second the internal WSUS server. Much easier to work with Internally.
10-02-2012 01:34 PM
thank you very much msullivan, I had looked in the apps before but looked for things like "windows update" and "wsus;" never thought to look for just that. That did the trick and we are able to get out and trouble shoot the rest of the stream. Again thank you for your timely response!
Gerry
10-02-2012 01:44 PM
Your welcome Gerry,
BTW, check out Application Research Center for lots of app-id goodness.
Cheers,
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
