WeWontLoseItIPromise
07-03-2007, 10:09 PM
The intent of 1.3.8 is unclear because it is poorly worded. Can anyone clarify the intent of this clause?
1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:
1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)
Is it requiring that traffic from a wireless network must be prevented from reaching a PCI in-scope system? If that is the case, why even bother with all the WPA vs WEP elsewhere when saying "no WLAN allowed." would suffice.
What does "from controlling any traffic" mean? Is it trying to say that a WLAN client can not be used for infrastructure administration?
It is very unhelpful for something to be written so badly.
1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:
1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes)
Is it requiring that traffic from a wireless network must be prevented from reaching a PCI in-scope system? If that is the case, why even bother with all the WPA vs WEP elsewhere when saying "no WLAN allowed." would suffice.
What does "from controlling any traffic" mean? Is it trying to say that a WLAN client can not be used for infrastructure administration?
It is very unhelpful for something to be written so badly.