[c-nsp] no mop enabled and PCI implications

Frank Bulk - iNAME frnkblk at iname.com
Thu Jun 28 00:25:58 EDT 2007


The concept of shipping devices in a default state that's secure has still
not taken off.  Though I'm pretty sure a big retailer could negotiate
something with a vendor. =)

Frank

-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Richard Stern
Sent: Wednesday, June 27, 2007 1:24 PM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] no mop enabled and PCI implications

It's not intuitively obvious, but during a PCI audit it was pointed out
that the default mop enabled represents a potential threat vector.

I had to specifically remediate this vulnerability by adding no mop
enabled to all physical Ethernet interfaces in order to pass the audit.

There were other similar vulnerabilities pointed out besides that one.

Soapbox:  It would be nice if engineering was sensitized to security
(PCI) audit requirements and perhaps had a macro (set security PCI?)
that would automatically add the proper settings to the config to pass
audit requirements.  If this were there then the word could be passed
back to the audit community and they could then modify their checklists
to just require that macro setting be in the config.

That would make everybody's lives a lot easier - and provide for more
uniform security in the deployments. A win win.



Richard





_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list