The following is a guest post by JD Smith. JD is a Sr. Consultant inside the PCI practice at VeriSign.
PCI DSS 1.2 has several sections that require a security application to be used to satisfy a requirement. Some of these areas are file integrity monitoring, firewalls, encryption, wireless scanners, intrusion detection/intrusion prevention and anti-virus.
All of these areas have several tools available to address the specific requirement. However, what if a merchant needs to keep the budget to a bare minimum? What if there is absolutely no way a merchant is able to purchase several of these solutions straight off the shelf and pay the licensing associated with them without severely impacting the business?
Open-source solutions exist for practically every requirement identified in the DSS. What is open-source? Generally speaking, open-source is considered to be a solution for something is maintained by a community and is typically royalty free.
For instance when it comes to intrusion detection systems, there are open-source tools such as Snort that has matured over time and is known as the gold-standard for IDS. Many front-end analysis tools exist that use the Snort engine (e.g. Squil and BASE).
For merchants that must secure their wireless environments, open-source wireless scanning tools such as NetStumbler, Airsnort, and Kismet have been in the security toolbox of pen-testers for quite a while now.
Merchants who are struggling to find a powerful firewall solution while staying true to open-source should take a look at NetFilter. It runs on a Linux operating system and is able to handle as much traffic as most other expensive solutions.
Another major component of PCI DSS 1.2 is encryption. For solutions around SSL, OpenSSL is the premiere SSL/TLS encryption library. Also, OpenVPN is an open-source VPN solution which is useful for site-to-site VPN creation without having to spend a lot of money on a Cisco or Juniper solution.
Included in encryption would be TrueCrypt for file, folder and disk encryption solutions. It’s open source, very flexible and provides extremely robust encryption options for a merchant.
Among other useful tools that a merchant’s network security team should use to test the strength of their network is Zenmap for port and host scanning, and Firewalk for checking ACL configurations. Password crackers are useful for the security team to verify that passwords are configured properly. Some useful password tools are Aircrack (for wireless scanning), John the Ripper, and Cain and Abel. A favorite network service password tester of mine is Brutus which tests services such as FTP, Telnet, IMAP, POP3 and others that are sometimes available on a network.
It’s important to keep in mind if a merchant chooses to stick to an open-source approach to assist with PCI compliance, the majority of the open-source security tools available only run in a Linux and/or UNIX environment. Therefore, network security staff or consultants need to have familiarity with this kind of environment.
Lastly, all of these tools and many others are discussed conveniently in one place: http://sectools.org/.
Possibly Related Posts:
- Selective Domain Filtering with Postfix and a SPAM Filtering Service
- PCI DSS 4.0 Released plus BOOK DETAILS!
- Preventing Account Takeover, Enable MFA!
- Proofpoint Patches URL Sandbox Bypass Bug
- Improve Outbound Email with SPF, DKIM, and DMARC