I've been thinking about this one for a while as I have both a hosting
service & do PCI work on an almost daily basis.

What I have come to conclude is that you will most likely want to put
your firewall devices (virtual or otherwise) on different physical
hardware from the other application servers you are running. You will
also want to be sure that the external firewall segments are plugged
into different switches from your internal segments (different physical
devices are better than VLANs)

Now you can set it up having your firewalls as just another virtual
machine, but life will be easier to show separation of duties, "one
primary use" (yes vmware/xen/etc will all have multiple servers
together, and it depends on the assessor validating your environment,
but I personally feel that firewall and networking devices are
definitely different functions that application/web/db/mail/... servers
and as such I recommend that firewall devices be on different physical
devices from your other application servers.

I would also like to point out that within the virtual host server, you
will find that both network & server requirements are both mixed
together as you are most likely brining multiple vlans into the host
server and then allocating access to each vlan (bridges under xen, etc)
to each virtual server. As such, you now have network & server
characteristics combined into a single device.

This will make it more difficult to show that each component is properly
configured, maintained & monitored. You will need to be sure to have all
of your documentation in order and use as many tools as possible to
standardize how each function is maintained and securely monitored.

Also, will the virtual host machine be maintained by the same core team
as the firewall / database / web / mail / etc services?

And you mentioned PCI doesn't specifically mention virtual firewalls,
that is true, but it does specify firewall/router/server configuration
standards, policies, change management, security monitoring and a host
of other requirements that will need to be met even if you have only one
customer needing to have compliant services.

Good luck
David M. Zendzian
Managing Partner
ZZ Servers, LLC: http://www.zzservers.com

PS you may want to consider other platforms if you are reselling
virtualization ;)

Terry wrote:
> Hello all,
>
> I am throwing around the idea of using linux firewalls in vmware for
> customer environments. The customers may or may not have
> HIPAA/PCI/sOX/etc requirements. This is in the planning stages. Any
> of you have experience heading down this route? PCIDSS doesn't
> explicitly state problems with virtual firewalls, it seems to focus on
> the logic of the rules.
>
> Thanks!
>
>

[ reply ]