[c-nsp] no mop enabled and PCI implications
Jared Mauch
jared at puck.nether.net
Wed Jun 27 14:30:23 EDT 2007
On Wed, Jun 27, 2007 at 11:24:26AM -0700, Richard Stern wrote:
> It's not intuitively obvious, but during a PCI audit it was pointed out
> that the default mop enabled represents a potential threat vector.
>
> I had to specifically remediate this vulnerability by adding no mop
> enabled to all physical Ethernet interfaces in order to pass the audit.
>
> There were other similar vulnerabilities pointed out besides that one.
>
> Soapbox: It would be nice if engineering was sensitized to security
> (PCI) audit requirements and perhaps had a macro (set security PCI?)
> that would automatically add the proper settings to the config to pass
> audit requirements. If this were there then the word could be passed
> back to the audit community and they could then modify their checklists
> to just require that macro setting be in the config.
>
> That would make everybody's lives a lot easier - and provide for more
> uniform security in the deployments. A win win.
Some versions of IOS have 'sh run all' which includes the defaults.
I'd expect this to become more uniform over time.
Router#sh run ?
all Configuration with defaults
- Jared
--
Jared Mauch | pgp key available via finger from jared at puck.nether.net
clue++; | http://puck.nether.net/~jared/ My statements are only mine.
More information about the cisco-nsp
mailing list