- HP buys EDS for $13.9 billion
- 10 ways the Chinese Internet is different
- What EDS is telling its people about HP deal
- Sprint loses nearly 1.1 million customers
- Desktops of the future here today
Rss FeedRss Feed
The Payment Card Industry Data Security Standard (PCI DSS) is a set of industry regulations imposed by the major credit card companies to ensure the safety, security, and integrity of cardholder data. Any business that processes, stores, and transmits cardholder account data must comply with this complex new standard, and must be able to demonstrate that compliance through automated and manual audits of their systems. This white paper looks at the key challenges and requirements of PCI DSS as it relates to Microsoft Windows and Active Directory, and shows you how a third-party software solution can help with PCI compliance.
Get the latest on storage technologies that allow IT professionals to better cope with new IT demands. Learn how storage technologies can help you successfully tackle e-Discover, regulatory compliance, green data center initiatives and the data explosion. Get all the details now.
There are many compelling reasons for virtualizing Windows and Linux applications. Virtualization improves server utilization by allowing you to run multiple workloads on a single physical server. It reduces the number of physical servers you have to maintain, while allowing you to use less physical space and power while still improving scalability. All of these capabilities translate directly into lower costs, less complexity, and greater flexibility in your mixed IT environment. Register below to learn more and be entered to win an Archos 605 Portable Media Player.
| Clear Choice Test 10G access switches | ||||||||
|
||||||||
In assessing switch management and security, we sought to answer three questions: Did devices follow current best practices by default? Could users configure switches to follow these best practices? And could switches be wiped clean of any sensitive information before being taken out of deployment?
The "wipe clean" question stems from regulatory requirements in a growing number of industries. For example, NIST, the U.S. government's standards body, and the credit card industry's Payment Card Industry Data Security Standard (PCI DSS) both require the deletion of any personally identifiable information before disposal.
We assessed reset capabilities by deleting the startup configuration file of each switch after putting it through performance and security tests. For all but the Alcatel-Lucent, Extreme and HP switches, that was enough to wipe the systems clean. HP's ProCurve switch stores passwords separately in flash memory, but these can be deleted through use of front-panel buttons. The procedure is documented, and HP also says it's moving toward inclusion of encrypted passwords in the switch configuration file.
The Alcatel-Lucent and Extreme switches both retain passwords even after a factory reset. In addition, Extreme's Summit X450 also retains the private SSH key, which could allow an attacker to pose as an authorized device even after the switch has been retired.
We also determined which management methods were enabled by default, and which would need to be enabled or disabled by network managers (see Management and Security Methods table).
These best practices include disabling insecure management methods such as telnet (supported out of the box over IPv4 by all switches by default), Web and SSHv1. Best practices mean accessing the switch only through secure means such as SSHv2 and/or Secure-HTTP and also logging switch events to a syslog server (a requirement under many enterprise security policies).
Cisco's Catalyst 3750E adhered the closest to security best practices. However, it supports telnet by default, as do all other switches. Also, when enabling SSH the Catalyst supports the insecure Version 1 of that protocol (although SSHv1 can be disabled via an additional command).
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com The Industry Standard IDG List Services |
 |
Copyright © 1994-2008 Network World, Inc. All rights reserved. |
