PCI Certification compliance lists

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

PCI Certification compliance lists

Eliezer Croitoru-3
I am looking for domains lists that can be used for squid to be PCI
Certified.

I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/

And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)

* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9


If someone has the documents which instructs what domains to not inspect it
would also help a lot.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Amos Jeffries
Administrator
On 4/01/21 3:12 am, ngtech1ltd wrote:

> I am looking for domains lists that can be used for squid to be PCI
> Certified.
>
> I have read this article:
> https://www.imperva.com/learn/data-security/pci-dss-certification/
>
> And couple others to try and understand what might a Squid proxy ssl-bump
> exception rules should contain.
> So technically we need:
> - Banks
> - Health care
> - Credit Cards(Visa, Mastercard, others)
> - Payments sites
> - Antivirus(updates and portals)
> - OS and software Updates signatures(ASC, MD5, SHAx etc..)
>
> * https://support.kaspersky.com/common/start/6105
> *
> https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
> set-product-with-a-third-party-firewall
> *
> https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
> 55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
> p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
> e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
> Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
> 525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
> D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
>
>
> If someone has the documents which instructs what domains to not inspect it
> would also help a lot.



Are you trying to get Squid certified as a PCI WAF agent?
  or as security infrastructure agent?
  or as general networking agent?

These roles matter in regards to the PCI requirement to detect malicious
transactions.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Eliezer Croitoru-3
I'm trying to figure out what can be done with 5.0.4.
I believe there is either a bug or misunderstanding by me what and how things should be done or configured.

The first thing is to be able to bump all and add exceptions.
The second would be to bump specific sites.
As i noticed in the past it seems that for a good splice and or bump I need the any-of acl to be used.

Its a bit different then the way squid acls work in general.

Eliezer

On Sun, Jan 3, 2021, 17:06 Amos Jeffries <[hidden email]> wrote:
On 4/01/21 3:12 am, ngtech1ltd wrote:
> I am looking for domains lists that can be used for squid to be PCI
> Certified.
>
> I have read this article:
> https://www.imperva.com/learn/data-security/pci-dss-certification/
>
> And couple others to try and understand what might a Squid proxy ssl-bump
> exception rules should contain.
> So technically we need:
> - Banks
> - Health care
> - Credit Cards(Visa, Mastercard, others)
> - Payments sites
> - Antivirus(updates and portals)
> - OS and software Updates signatures(ASC, MD5, SHAx etc..)
>
> * https://support.kaspersky.com/common/start/6105
> *
> https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
> set-product-with-a-third-party-firewall
> *
> https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
> 55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
> p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
> e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
> Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
> 525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
> D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
>
>
> If someone has the documents which instructs what domains to not inspect it
> would also help a lot.



Are you trying to get Squid certified as a PCI WAF agent?
  or as security infrastructure agent?
  or as general networking agent?

These roles matter in regards to the PCI requirement to detect malicious
transactions.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Alex Rousskov
On 1/3/21 10:17 AM, NgTech LTD wrote:

> As i noticed in the past it seems that for a good splice and or bump I
> need the any-of acl to be used.

> Its a bit different then the way squid acls work in general.

The ACLs in ssl_bump rules work exactly the same as ACLs in other
directives. The any-of ACL is not required for ssl_bump or any other
directive. That ACL can indeed be helpful in writing good ssl_bump and
many other rules.

Side note: While bumping is often required for blocking traffic, and
splicing often implies allowing traffic, those actions/decisions are
often quite distinct. Do not ignore http_access rules while working on
ssl_bump rules -- Squid consults _both_ sets of rules,  first during
step1 and then again during step2!


HTH,

Alex.


> On Sun, Jan 3, 2021, 17:06 Amos Jeffries wrote:
>
>     On 4/01/21 3:12 am, ngtech1ltd wrote:
>     > I am looking for domains lists that can be used for squid to be PCI
>     > Certified.
>     >
>     > I have read this article:
>     > https://www.imperva.com/learn/data-security/pci-dss-certification/
>     >
>     > And couple others to try and understand what might a Squid proxy
>     ssl-bump
>     > exception rules should contain.
>     > So technically we need:
>     > - Banks
>     > - Health care
>     > - Credit Cards(Visa, Mastercard, others)
>     > - Payments sites
>     > - Antivirus(updates and portals)
>     > - OS and software Updates signatures(ASC, MD5, SHAx etc..)
>     >
>     > * https://support.kaspersky.com/common/start/6105
>     > *
>     >
>     https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
>     > set-product-with-a-third-party-firewall
>     > *
>     >
>     https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
>     >
>     55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
>     >
>     p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
>     >
>     e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
>     >
>     Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
>     >
>     525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
>     > D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
>     >
>     >
>     > If someone has the documents which instructs what domains to not
>     inspect it
>     > would also help a lot.
>
>
>
>     Are you trying to get Squid certified as a PCI WAF agent?
>       or as security infrastructure agent?
>       or as general networking agent?
>
>     These roles matter in regards to the PCI requirement to detect
>     malicious
>     transactions.
>
>
>     Amos
>     _______________________________________________
>     squid-users mailing list
>     [hidden email]
>     <mailto:[hidden email]>
>     http://lists.squid-cache.org/listinfo/squid-users
>
>
> _______________________________________________
> squid-users mailing list
> [hidden email]
> http://lists.squid-cache.org/listinfo/squid-users
>

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

David Touzeau-3
In reply to this post by Eliezer Croitoru-3
Hi Eiezer,

I can help you by giving a list but

Just by using "main domains":
  • Banking/transcations : 27 646 websites.
  • AV sofwtare and updates sites (fw, routers...) :  133 295 websites

I can give it to you the lists , they are incomplete and it should decrease squid performance by loading huge databases.
Perhaps it is better for the Squid administrator to fill it's own list according it's country or company activity.




Le 03/01/2021 à 15:12, [hidden email] a écrit :
I am looking for domains lists that can be used for squid to be PCI
Certified.

I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/

And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)

* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9


If someone has the documents which instructs what domains to not inspect it
would also help a lot.

Thanks,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Eliezer Croitoru-3

Hey David.

 

Indeed it should be done with the local websites however, These sites are pretty static.

Would it be OK to publish theses lists online as a file/files?

 

The main issue is that ssl-bump requires couple “fast” acls.

I believe it should be a “fast” acl but we also need the option to use an external helper like for many other function.

If I can choose between “fast” as default and the ability to run a “slow” external acl helper I can
choose what is right for/in my environment.

 

Currently I cannot program a helper that will decide if a CONNECT connection should be spliced or bumped programmatically.

It forces me to reload this list manually which might take couple seconds.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users <[hidden email]> On Behalf Of David Touzeau
Sent: Monday, January 4, 2021 10:23 AM
To: [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 

Hi Eiezer,

I can help you by giving a list but

Just by using "main domains":

  • Banking/transcations : 27 646 websites.
  • AV sofwtare and updates sites (fw, routers...) :  133 295 websites


I can give it to you the lists , they are incomplete and it should decrease squid performance by loading huge databases.
Perhaps it is better for the Squid administrator to fill it's own list according it's country or company activity.



Le 03/01/2021 à 15:12, [hidden email] a écrit :

I am looking for domains lists that can be used for squid to be PCI
Certified.
 
I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/
 
And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)
 
* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
 
 
If someone has the documents which instructs what domains to not inspect it
would also help a lot.
 
Thanks,
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

David Touzeau-3

Hi Eliezer:

http://articatech.net/tmpf/categories/banking.gz
http://articatech.net/tmpf/categories/cleaning.gz



Le 04/01/2021 à 10:27, [hidden email] a écrit :

Hey David.

 

Indeed it should be done with the local websites however, These sites are pretty static.

Would it be OK to publish theses lists online as a file/files?

 

The main issue is that ssl-bump requires couple “fast” acls.

I believe it should be a “fast” acl but we also need the option to use an external helper like for many other function.

If I can choose between “fast” as default and the ability to run a “slow” external acl helper I can
choose what is right for/in my environment.

 

Currently I cannot program a helper that will decide if a CONNECT connection should be spliced or bumped programmatically.

It forces me to reload this list manually which might take couple seconds.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of David Touzeau
Sent: Monday, January 4, 2021 10:23 AM
To: [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 

Hi Eiezer,

I can help you by giving a list but

Just by using "main domains":

  • Banking/transcations : 27 646 websites.
  • AV sofwtare and updates sites (fw, routers...) :  133 295 websites


I can give it to you the lists , they are incomplete and it should decrease squid performance by loading huge databases.
Perhaps it is better for the Squid administrator to fill it's own list according it's country or company activity.



Le 03/01/2021 à 15:12, [hidden email] a écrit :

I am looking for domains lists that can be used for squid to be PCI
Certified.
 
I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/
 
And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)
 
* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
 
 
If someone has the documents which instructs what domains to not inspect it
would also help a lot.
 
Thanks,
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Eliezer Croitoru-3

Thanks David,

 

I don’t understand something:

1490677018.addr

 

Are these integers representing of ip addresses?

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: David Touzeau <[hidden email]>
Sent: Monday, January 4, 2021 3:25 PM
To: [hidden email]; [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 


Hi Eliezer:

http://articatech.net/tmpf/categories/banking.gz
http://articatech.net/tmpf/categories/cleaning.gz


Le 04/01/2021 à 10:27, [hidden email] a écrit :

Hey David.

 

Indeed it should be done with the local websites however, These sites are pretty static.

Would it be OK to publish theses lists online as a file/files?

 

The main issue is that ssl-bump requires couple “fast” acls.

I believe it should be a “fast” acl but we also need the option to use an external helper like for many other function.

If I can choose between “fast” as default and the ability to run a “slow” external acl helper I can
choose what is right for/in my environment.

 

Currently I cannot program a helper that will decide if a CONNECT connection should be spliced or bumped programmatically.

It forces me to reload this list manually which might take couple seconds.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of David Touzeau
Sent: Monday, January 4, 2021 10:23 AM
To: [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 

Hi Eiezer,

I can help you by giving a list but

Just by using "main domains":

  1. Banking/transcations : 27 646 websites.
  2. AV sofwtare and updates sites (fw, routers...) :  133 295 websites


I can give it to you the lists , they are incomplete and it should decrease squid performance by loading huge databases.
Perhaps it is better for the Squid administrator to fill it's own list according it's country or company activity.




Le 03/01/2021 à 15:12, [hidden email] a écrit :

I am looking for domains lists that can be used for squid to be PCI
Certified.
 
I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/
 
And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)
 
* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
 
 
If someone has the documents which instructs what domains to not inspect it
would also help a lot.
 
Thanks,
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Alex Rousskov
In reply to this post by Eliezer Croitoru-3
On 1/4/21 4:27 AM, [hidden email] wrote:
> The main issue is that ssl-bump requires couple “fast” acls.

It does not: The ssl_bump directive supports both fast and slow ACLs.

Alex.
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

Eliezer Croitoru-3
Thanks Alex,

So for now the next should work by the docs at:
http://www.squid-cache.org/Versions/v5/cfgman/ssl_bump.html

I just noticed that I didn't put helper in the right context as you wrote in another email.
This way we can reload automatically lists on a change without reloading the whole squid.
So for it to work we just need a single server which supports threading and concurrency.
To overcome updates related issues we can use either a lock/mutex/other.

Thanks Again,
Eliezer

----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon


-----Original Message-----
From: Alex Rousskov <[hidden email]>
Sent: Monday, January 4, 2021 4:48 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

On 1/4/21 4:27 AM, [hidden email] wrote:
> The main issue is that ssl-bump requires couple “fast” acls.

It does not: The ssl_bump directive supports both fast and slow ACLs.

Alex.

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: PCI Certification compliance lists

David Touzeau-3
In reply to this post by Eliezer Croitoru-3
Yes this an hton of the IP address (ip2long) , remove the .addr and switch to long2ip

Le 04/01/2021 à 14:56, [hidden email] a écrit :

Thanks David,

 

I don’t understand something:

1490677018.addr

 

Are these integers representing of ip addresses?

 

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: David Touzeau [hidden email]
Sent: Monday, January 4, 2021 3:25 PM
To: [hidden email]; [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 


Hi Eliezer:

http://articatech.net/tmpf/categories/banking.gz
http://articatech.net/tmpf/categories/cleaning.gz


Le 04/01/2021 à 10:27, [hidden email] a écrit :

Hey David.

 

Indeed it should be done with the local websites however, These sites are pretty static.

Would it be OK to publish theses lists online as a file/files?

 

The main issue is that ssl-bump requires couple “fast” acls.

I believe it should be a “fast” acl but we also need the option to use an external helper like for many other function.

If I can choose between “fast” as default and the ability to run a “slow” external acl helper I can
choose what is right for/in my environment.

 

Currently I cannot program a helper that will decide if a CONNECT connection should be spliced or bumped programmatically.

It forces me to reload this list manually which might take couple seconds.

 

Thanks,

Eliezer

 

----

Eliezer Croitoru

Tech Support

Mobile: +972-5-28704261

Email: [hidden email]

Zoom: Coming soon

 

 

From: squid-users [hidden email] On Behalf Of David Touzeau
Sent: Monday, January 4, 2021 10:23 AM
To: [hidden email]
Subject: Re: [squid-users] PCI Certification compliance lists

 

Hi Eiezer,

I can help you by giving a list but

Just by using "main domains":

  1. Banking/transcations : 27 646 websites.
  2. AV sofwtare and updates sites (fw, routers...) :  133 295 websites


I can give it to you the lists , they are incomplete and it should decrease squid performance by loading huge databases.
Perhaps it is better for the Squid administrator to fill it's own list according it's country or company activity.




Le 03/01/2021 à 15:12, [hidden email] a écrit :

I am looking for domains lists that can be used for squid to be PCI
Certified.
 
I have read this article:
https://www.imperva.com/learn/data-security/pci-dss-certification/
 
And couple others to try and understand what might a Squid proxy ssl-bump
exception rules should contain.
So technically we need:
- Banks
- Health care
- Credit Cards(Visa, Mastercard, others)
- Payments sites
- Antivirus(updates and portals)
- OS and software Updates signatures(ASC, MD5, SHAx etc..)
 
* https://support.kaspersky.com/common/start/6105
*
https://support.eset.com/en/kb332-ports-and-addresses-required-to-use-your-e
set-product-with-a-third-party-firewall
*
https://service.mcafee.com/webcenter/portal/oracle/webcenter/page/scopedMD/s
55728c97_466d_4ddb_952d_05484ea932c6/Page29.jspx?wc.contextURL=%2Fspaces%2Fc
p&articleId=TS100291&_afrLoop=641093247174514&leftWidth=0%25&showFooter=fals
e&showHeader=false&rightWidth=0%25&centerWidth=100%25#!%40%40%3FshowFooter%3
Dfalse%26_afrLoop%3D641093247174514%26articleId%3DTS100291%26leftWidth%3D0%2
525%26showHeader%3Dfalse%26wc.contextURL%3D%252Fspaces%252Fcp%26rightWidth%3
D0%2525%26centerWidth%3D100%2525%26_adf.ctrl-state%3D3wmxkd4vc_9
 
 
If someone has the documents which instructs what domains to not inspect it
would also help a lot.
 
Thanks,
Eliezer
 
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: [hidden email]
Zoom: Coming soon
 
 
 
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

 

 



_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users