[c-nsp] no mop enabled and PCI implications

Jared Mauch jared at puck.nether.net
Wed Jun 27 14:30:23 EDT 2007


On Wed, Jun 27, 2007 at 11:24:26AM -0700, Richard Stern wrote:
> It's not intuitively obvious, but during a PCI audit it was pointed out
> that the default mop enabled represents a potential threat vector.
> 
> I had to specifically remediate this vulnerability by adding no mop
> enabled to all physical Ethernet interfaces in order to pass the audit.
> 
> There were other similar vulnerabilities pointed out besides that one.
> 
> Soapbox:  It would be nice if engineering was sensitized to security
> (PCI) audit requirements and perhaps had a macro (set security PCI?)
> that would automatically add the proper settings to the config to pass
> audit requirements.  If this were there then the word could be passed
> back to the audit community and they could then modify their checklists
> to just require that macro setting be in the config.
> 
> That would make everybody's lives a lot easier - and provide for more
> uniform security in the deployments. A win win.

	Some versions of IOS have 'sh run all' which includes the defaults.

	I'd expect this to become more uniform over time.

Router#sh run ?
  all        Configuration with defaults

	- Jared


-- 
Jared Mauch  | pgp key available via finger from jared at puck.nether.net
clue++;      | http://puck.nether.net/~jared/  My statements are only mine.


More information about the cisco-nsp mailing list