End point anti-virus email alerts - SMTP Authentication

Hi Jak,

That's not a bad idea at all.....I mean on one hand you could argue that it isn't THAT different from SSH in principal......If it becomes unmanageable in the future without direct notifications before we get to the point we can transfer into the top grade hosting I'll give it a try - thanks man, you've been a great help.

QC:

We don't have access to the management console as it's hosted virus scaning, we have a less-than-convinient web panel we have to use so e-mail gives me instant notification that something is a-miss, and....because I wants it :D

PCI is pretty explicit about the layout of our network - although I don't have the spec on me on a Sunday (all 70 pages of spec and 50 pages of SAQ are happily making my life a misery on my desk at work - my partner would make my life misery if I brought it home) - but here is the jist of it:

Our network must be split into internal and DMZ - the internal network is where the card data is held, and cannot for any reason talk to the public internet or have its IP addresses exposed to the outside (IE no direct access to the web, if required it must be through NAT or Proxy).

Any communication between the DMZ and internal network must be authenticated.

All services must be secure (and they give a few examples to suggest their definition of secure is encrypted - I do agree that this definition is a bit weak and encrypted != secure)

Any unsecure services must have business justification.

I'd also agree with the comment about auditors - fortunatly we are a startup so until we run over a million transactions through our system we can self-asses and I can make my own judgement calls over what the PCI consultant told me.  Unfortunatly though that means my signature is on the self-assessment so my ass is on the line if we get broken into.

Hi Jak,

That's not a bad idea at all.....I mean on one hand you could argue that it isn't THAT different from SSH in principal......If it becomes unmanageable in the future without direct notifications before we get to the point we can transfer into the top grade hosting I'll give it a try - thanks man, you've been a great help.

QC:

We don't have access to the management console as it's hosted virus scaning, we have a less-than-convinient web panel we have to use so e-mail gives me instant notification that something is a-miss, and....because I wants it :D

PCI is pretty explicit about the layout of our network - although I don't have the spec on me on a Sunday (all 70 pages of spec and 50 pages of SAQ are happily making my life a misery on my desk at work - my partner would make my life misery if I brought it home) - but here is the jist of it:

Our network must be split into internal and DMZ - the internal network is where the card data is held, and cannot for any reason talk to the public internet or have its IP addresses exposed to the outside (IE no direct access to the web, if required it must be through NAT or Proxy).

Any communication between the DMZ and internal network must be authenticated.

All services must be secure (and they give a few examples to suggest their definition of secure is encrypted - I do agree that this definition is a bit weak and encrypted != secure)

Any unsecure services must have business justification.

I'd also agree with the comment about auditors - fortunatly we are a startup so until we run over a million transactions through our system we can self-asses and I can make my own judgement calls over what the PCI consultant told me.  Unfortunatly though that means my signature is on the self-assessment so my ass is on the line if we get broken into.