2012/5/26 Arun Khan <knura9 at gmail.com>: > Hi Eero, > > On Sat, May 26, 2012 at 1:12 AM, Eero Volotinen <eero.volotinen at iki.fi> wrote: >> 2012/5/25 Arun Khan <knura9 at gmail.com>: >>> I have a client project to implement PCI/DSS compliance. >>> >>> The PCI/DSS auditor has stipulated that the web server, application >>> middleware (tomcat), the db server have to be on different systems. >> >> requirement "one primary function per server". >> >>> In addition the auditor has also stipulated that there be a NTP >>> server, a "patch" server, >> >> true also. > > ... snip ... > > > Thanks for your input on each points in OP. I appreciate it. Usually you also need to implement WAF (web application firewall) on front of public webservers. I think cheapest solution is use mod_security*) on apache and then proxy valid requests to tomcat. *) http://www.modsecurity.org/ -- Eero, RHCE, CISSP