[c-nsp] no mop enabled and PCI implications

Richard Stern rstern at walmart.com
Wed Jun 27 14:24:26 EDT 2007


It's not intuitively obvious, but during a PCI audit it was pointed out
that the default mop enabled represents a potential threat vector.

I had to specifically remediate this vulnerability by adding no mop
enabled to all physical Ethernet interfaces in order to pass the audit.

There were other similar vulnerabilities pointed out besides that one.

Soapbox:  It would be nice if engineering was sensitized to security
(PCI) audit requirements and perhaps had a macro (set security PCI?)
that would automatically add the proper settings to the config to pass
audit requirements.  If this were there then the word could be passed
back to the audit community and they could then modify their checklists
to just require that macro setting be in the config.

That would make everybody's lives a lot easier - and provide for more
uniform security in the deployments. A win win.

 

Richard

 

 



More information about the cisco-nsp mailing list