[squid-users] PCI Certification compliance lists

Alex Rousskov rousskov at measurement-factory.com
Sun Jan 3 23:06:00 UTC 2021 

On 1/3/21 10:17 AM, NgTech LTD wrote:

> As i noticed in the past it seems that for a good splice and or bump I
> need the any-of acl to be used.

> Its a bit different then the way squid acls work in general.

The ACLs in ssl_bump rules work exactly the same as ACLs in other
directives. The any-of ACL is not required for ssl_bump or any other
directive. That ACL can indeed be helpful in writing good ssl_bump and
many other rules.

Side note: While bumping is often required for blocking traffic, and
splicing often implies allowing traffic, those actions/decisions are
often quite distinct. Do not ignore http_access rules while working on
ssl_bump rules -- Squid consults _both_ sets of rules,  first during
step1 and then again during step2!


HTH,

Alex.


> On Sun, Jan 3, 2021, 17:06 Amos Jeffries wrote:
> 
>     On 4/01/21 3:12 am, ngtech1ltd wrote:
>     > I am looking for domains lists that can be used for squid to be PCI
>     > Certified.
>     >
>     > I have read this article:
>     > https://www.imperva.com/learn/data-security/pci-dss-certification/
>     >
>     > And couple others to try and understand what might a Squid proxy
>     ssl-bump
>     > exception rules should contain.
>     > So technically we need:
>     > - Banks
>     > - Health care
>     > - Credit Cards(Visa, Mastercard, others)
>     > - Payments sites
>     > - Antivirus(updates and portals)
>     > - OS and software Updates signatures(ASC, MD5, SHAx etc..)
>     >
>     > * https://support.kaspersky.com/common/start/6105
>     > *
>     >
>     https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
>     > set-product-with-a-third-party-firewall
>     > *
>     >
>     https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
>     >
>     55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
>     >
>     p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
>     >
>     e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
>     >
>     Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
>     >
>     525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
>     > D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
>     >
>     >
>     > If someone has the documents which instructs what domains to not
>     inspect it
>     > would also help a lot.
> 
> 
> 
>     Are you trying to get Squid certified as a PCI WAF agent?
>       or as security infrastructure agent?
>       or as general networking agent?
> 
>     These roles matter in regards to the PCI requirement to detect
>     malicious
>     transactions.
> 
> 
>     Amos
>     _______________________________________________
>     squid-users mailing list
>     squid-users at lists.squid-cache.org
>     <mailto:squid-users at lists.squid-cache.org>
>     http://lists.squid-cache.org/listinfo/squid-users
> 
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
>

More information about the squid-users mailing list