hi, auditor says we need to block DMZ's egress by default

getsolidstate · **Posted:** Thu Aug 16, 2012 9:11 pm

i'm faced w/ a bit of a dilemma here.
i've purchased ASL in hopes that it will make our life a bit easier for PCI-compliance. (and it has!)
but now it just comes to our realization that, DMZ of the servers need egress blocked (to internet) to meet pci compliance.
this poses a bit of a challenge and i'm not sure what to do here.
my thoughts were that we can whitelist your ip's along w/ other services ASL uses, but i do not know where to start for that.

any advice you guys can provide?
time is starting to be a bit critical here :X

scott · **Posted:** Fri Aug 17, 2012 8:31 am

a proxy server is an option there

getsolidstate · **Posted:** Fri Aug 17, 2012 12:49 pm

are there any IP address that you guys can provide, so I can just whitelist as a quick solution for now?
and i thought about proxy but how would i configure ASL so that my servers will start communicating to proxy? this would be a great solution, just, i'm not sure how complex this would be.

scott · **Posted:** Fri Aug 17, 2012 4:08 pm

The proxy code (aum) is in alpha right now, and the IP to whitelist are:
74.208.155.133
74.208.166.51
74.208.97.167
208.68.233.251
74.208.195.110
69.20.6.166

getsolidstate · **Posted:** Fri Aug 17, 2012 6:44 pm

great thank you!

getsolidstate · **Posted:** Fri Aug 17, 2012 7:53 pm

Sorry, but could you also list the ports too associated w/ those IPs?

mikeshinn · **Posted:** Sat Aug 18, 2012 1:18 pm

443

You may need 53 as well, so you can lookup the FQDNs for the servers. If you cant do that, then you will need to create /etc/hosts records for:

www.atomicorp.com
updates.atomicorp.com

We recommend you use DNS, as new IPs are added as we add more mirror servers.

scott · **Posted:** Sat Aug 18, 2012 5:47 pm

also 25 and 465 for mail

getsolidstate · **Posted:** Mon Aug 20, 2012 1:46 pm

awesome, thx

hi, auditor says we need to block DMZ's egress by default

Who is online