Dan I was just looking a little deeper into this and the PCI stuff shows non firewalled WLANs in the CDE and firewalled LANs outside the CDE, I fully understand and appreciate where you are coming from and I personally do not have an issue either way. The more secure the better for me personally and if it was me I think thats how I would deploy, the unfortunate scenario is that this is foistered upon others who sometimes do not care or try to do things on the cheap.
Its a scary world and someone once said to me about securty "its not are you paranoid but are you paranoid enough".
PCI is definitely something that requires input from all stakeholders and agreement with the test authority, particularly with defining for each business which is CDE and which is not CDE as it definitely is NOT one size fits all.
All in all a great healthy debate never hurt anyone.
Good points well made and I think the kicker is defining your CDE.
Yep, I love a good debate. Especially when it's with people who know their stuff. The only possible result is that everyone learns something.
I guess the part that is hanging me up is the statement:
[quote]As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or
needed for credit card transactions, should be blocked. This will result in reduced risk of attack
and will create a CDE that has less traffic and is thus easier to monitor.[/quote]
This is stated in the [url=https://www.pcisecuritystandards.org/documents/PCI_DSS_Wireless_Guidelines.pdf]PCI DSS Wireless Guideline Information Supplement[/url]. The way I have been interpreting that is the a firewall is required to filter all non-required traffic from travelling between the WLAN and CDE even if the WLAN is in scope.
Who knows, I could be interpreting it wrong though. Either way, thanks for the great debate.
No worries Dan enjoy it we may both be wrong or right? As you "clearly"stated some of the documentation is at best ambiguous.
I look forward to more of the same
Pete and Dan,
Thanks for the info and discussion. I definitely have a better grasp on PCI standards and I'll be having a word with our in house PCI-compliance team :)