Dealing with auditors (was Re: We hit half-million: The Cidr Report)

Alain Hebert ahebert at
Thu May 1 10:29:35 UTC 2014


    Right now, 1/2 my day$ are spend doing PCI auditing, technical side,
not as a QSA.

    There is not shortage of horror stories about my customers previous

    Best one to date...  Firewalling the FC SANs from the pool of
VMWares servers.

    Bill & Telnet...

        I hope that QSA didn't let you keep that telnet facing any
public interface without any protection.

        PS: Same deal with SSH ... encryption != protection since
keylogging is way easier than sniffing packets.  But at least you can
limit SSH authentication to public keys.

Alain Hebert                                ahebert at   
PubNIX Inc.        
50 boul. St-Charles
P.O. Box 26770     Beaconsfield, Quebec     H9W 6G7
Tel: 514-990-5911    Fax: 514-990-9443

On 04/30/14 20:58, David Hubbard wrote:
> We just dealt with a vmware audit too; it was a joke.  In any case, the
> thing I found curious with their auditor as well as a PCI QSA (fancy
> auditor), is that neither entity seemed to know IPv6 exists.  The whole
> time I'm thinking okay, now why aren't you investigating these same
> attack vectors in IPv6?  Just another reason PCI is not necessarily
> about security....
> David
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at] On Behalf Of Ulf Zimmermann
> Sent: Wednesday, April 30, 2014 8:36 PM
> To: William Herrin
> Cc: nanog at
> Subject: Re: Dealing with auditors (was Re: We hit half-million: The
> Cidr Report)
> The auditors VMware sent to us were just as bad. To ensure we weren't
> running "rogue" ESX(i) servers or WorkStation, they made us provide full
> arp/cam tables. Then a list of the virtual machines. "Oh look, this MAC
> isn't listed as one of your virtual machines". It isn't because it was
> running on virtual box or something like that. Auditor didn't know you
> could export a virtual machine from VMware and load it into another
> visualization software and it would keep the VMware MAC ....
> On Wed, Apr 30, 2014 at 2:31 PM, William Herrin <bill at> wrote:
>> On Wed, Apr 30, 2014 at 5:23 PM, Larry Sheldon <LarrySheldon at>
>> wrote:
>>> On 4/30/2014 11:30 AM, Valdis.Kletnieks at wrote:
>>>> And in that discussion, we ascertained that what the PCI standard
>> actually
>>>> says, and what you need to do in order to get unclued boneheaded
>> auditors
>>>> to sign the piece of paper, are two very different things.
>>> I am no longer active on the battlefield but as of the last time I 
>>> was,
>> it
>>> can't be did.
>>> For years I managed various aspect of a UNIVAC 1100 operation and 
>>> the
>> audits
>>> thereof.  EVERY TIME, we were dinged badly because we didn't look 
>>> like an IBM shop (some may be surprised to learn that different 
>>> hardware and different operating systems require very different 
>>> operating procedures
>> (and
>>> it appeared to us that some of the things they wanted us to do would
>> weaken
>>> us badly, others just simply didn't make any sense, and we got 
>>> dinged for things we DID do, because they were strange.
>> I won the argument with PCI auditors about leaving telnet alive on my 
>> exterior router (which at the time would have had to be replaced to 
>> support ssh). It's not a chore for the timid. You'd better be a heck 
>> of a guru before you challenge the auditors expectations and you'd 
>> better be prepared for your boss' aggravation that the audit isn't 
>> done yet.
>> And I think we pretty well established that PCI auditors arrive 
>> expecting to see NAT.
>> Regards,
>> Bill Herrin
>> --
>> William D. Herrin ................ herrin at  bill at
>> 3005 Crane Dr. ...................... Web: <> 
>> Falls Church, VA 22042-3004

More information about the NANOG mailing list