0

We are trying to install a PCI compliant firewall on our Azure Vnet. The problem is, that ones like opnsense can only be installed through an iso, having to install it on a local VM and then having to upload around a 4GB disk to Azure create a VM from. With our internet connection it's not a viable option.

So my question is, are there any viable firewalls that we can install normally on a Linux distribution as normal software?

Pat
  • 103
  • 3
  • Unfortunately, questions asking for product that meet certain requirements is off-topic here. The market can change very quickly. – schroeder Mar 01 '17 at 07:50
  • 1
    iptables can log all your traffic to syslog... – Rui F Ribeiro Mar 01 '17 at 10:57
  • It appears your real question is: "how can I ship the logs from my firewall to a central server?" There are many, many options and techniques. Syslog, log aggregators, shell scripts, etc. – schroeder Mar 01 '17 at 11:32
  • Hi Schroeder. We already have Graylog to do that. But the problem is all the firewalls that dump a useful log for us to forward need to be installed as an iso image. We need one that has detailed logging while still being installable as normal software. – Pat Mar 01 '17 at 12:26

2 Answers2

1

Firewalls aren't PCI compliant but rather the manner in which network traffic is managed can support PCI compliance/security validation. Network rules must be stateful and only permit traffic with a technical and business justification. Configuration of Azure's network containers with relevant, required rules using change control and performing periodic ruleset reviews will support your compliance efforts. You don't require additional network infrastructure beyond that provided by the cloud service provider unless you have other network requirements.

AndyMac
  • 3,149
  • 12
  • 21
  • Yes, we want a firewall that will dump the logs to our logging server. Unfortunately most firewalls we're finding that have that capability only come as an ISO install. – Pat Mar 01 '17 at 09:05
  • Or is that not a PCI requirement as we've been told? – Pat Mar 01 '17 at 09:06
  • You need to log security events relating to firewall management/configuration - i.e. authentication events, creation, modification, deletion of users, groups, objects, rules etc. You don't need to log all traffic. You can configure logging and a log destination using Azure portal audit logs which would capture the above required events. IF you want to log all traffic that's a separate requirement to compliance. – AndyMac Mar 01 '17 at 13:18
1

There are a fairly large number of options: iptables, firewalld, shorewall, ufw, and probably a bunch of others.

As mentioned by @AndyMac, PCI compliance is a matter of the firewall is doing (and how), and of ensuring you have monitoring.

Personally, I find shorewall is a good match here, because it has a strong notion of zones and inter-zone flows, but YMMV.

You will most likely want either a syslog daemon, or some kind of log parser, to collect and send logging to a centralised location (which is a PCI requirement).

I am not sure doing this only for a central firewall is sufficient - it may be preferable to have firewall + logging on all/most nodes.

Edited to add:

It does sound like your issue is more about logging than what firewall you use. As a first step, I would setup a test system, make sure iptables is installed, and create a rule to log all new TCP connections: iptables -I INPUT 1 -p tcp -m conntrack --ctstate NEW -j LOG --log-prefix "TEST LOGGING". Then grep -r 'IN=' /var/log, after having initiated a few connections.

If you don't see any output, check your syslog config.

Community
  • 1
iwaseatenbyagrue
  • 3,631
  • 1
  • 12
  • 24
  • We already have the logging system setup and forwarding to Ossec/Graylog. We just need to find a firewall that's easy to install + does the logging we need. Does either shorewall or firewalld provide such detailed logging to meet the requirement? – Pat Mar 01 '17 at 12:25
  • 2
    if you configure it correctly, yes - ultimately, for Linux, all solutions use iptables/netfilter under the hood, the difference is more in how you build your policies. It sounds like all you need to make sure of is that your existing setup receives the relevant logging - you _may_ need to check your syslog config to make sure that happens – iwaseatenbyagrue Mar 01 '17 at 12:27
  • Thank you for the edit! I was actually looking around getting a logging from firewalld since it's installed by default and we already have it configured. But apparently firewalld uses iptables under the hood like you said. So your solution is actually logging firewalld (which is what we want). Just one question, is there any way to show if the packet was dropped or passed through? As we want to log both. – Pat Mar 01 '17 at 12:54
  • 1
    Yes - using log prefix, you can attach a label to your logging. That label is arbitrary, but it is very common for the action to be included. An example would be this line from my (shorewall-managed) ruleset - obtained using `sudo iptables-save` : `-A wlan-mng -j LOG --log-prefix "Shorewall:wlan-mng:DROP:" --log-level 6` – iwaseatenbyagrue Mar 01 '17 at 13:02