Re: PCI / AV / Linux DB Servers
Date: Fri, 31 Jan 2014 18:03:20 +0000
Message-ID: <>
Don't you have different network zones? I'm no network guy, but the sort of thing we do is,
DB - In a zone that can not be accessed from an external location. App Server - In a zone that can access the DBs (specific machine-to-machine:port combinations only, not completely open) and can be accessed by load balancers and reverse proxies in the DMZ. DMZ - Reverse proxies and/or load balancers in the DMZ that can access specific app servers on specific ports in the app server zone. No direct access to DBs.
So users always access via the DMZ and never get directly into the important stuff. With this all locked down to specific machine-to-machine:port connections at the firewall level, it minimizes (but not eliminates) what can go wrong. We don't run AV on our Linux installations or our UNIX stuff.
No auditors have complained about this setup yet...
-- on Fri Jan 31 2014 - 19:03:20 CET