Hi all,
I'm currently going through a PCI audit. The PCI audit requires all inbound/outbound from the network (considered the CDE) to be explicitly allowed, otherwise restricted.
The tricky part is, a lot of the forms we use to enter in CC info, are hosted behind a CDN (akamai). As we all know, CDN's can serve up different IP's.
Our Firewall (an ASA), can only block by IP. ACL's can reference a FQDN. But at the of the day, the Firewall sees the FQDN, does a DNS query, and inserts the IP into the ACL.
We have applications like Umbrella/OpenDNS that can block all DNS requests excepts those that are whitelisted. But that would require us to allow all HTTPS from the firewalls perspective. At that point, it would leave us susceptible to direct IP traffic (ie command and control phone homes that bypass DNS).
The only solution I can think of is decryption and an appliance that says... only allow explicitly defined URL's via HTTPS, otherwise block (including direct IP requests).
Any suggestions?
No comments:
Post a Comment