Sample PCI-DSS Report - Check Point Software · PCI-DSS is a legal obligation mandated not by...
Transcript of Sample PCI-DSS Report - Check Point Software · PCI-DSS is a legal obligation mandated not by...
Compliance Report PCI DSS 2.0
Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM
1
1/96
Unscheduled (9)
Future (29)
Overdue (58)
74%Compliance
About PCI DSS 2.0PCI-DSS is a legal obligation mandated not by government but by the credit card companies. Any company that isinvolved in the transmission, processing or storage of credit card data, must be compliant with PCI-DSS. PCI is divided into12 main requirements, and further broken down into approximately 200 control areas. There are different levels of PCIcompliance depending on the number of transactions that are being processed by the company.
203 Security Best Practicesrelated to this regulation
53%
Secure
4%
High
13%
Medium
30%
Low
55 Regulatory Requirements
19 Compliant
12 High
13 Medium
11 Low
BladesSecurity Status by Blade
Firewall
68%
Data Loss Prevention
57%
IPSec VPN
72%
URL Filtering
48%
Upcoming
Future
Unscheduled
Overdue
96 Action Items
0 items
29 items
9 items
58 items
Regulatory Requirement Summary ( 1 out of 4 ) 2
2/96
Id Description Status
030005Establish firewall and router configuration standards that include documentation and business justification for use of all services, protocols, and ports allowed, including documentation of security features implemented for thoseprotocols considered to be insecure [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.1.5]
Compliant
030007 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.2.1] Low
030009Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wirelessenvironment into the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.2.3]
Low
030011 Limit inbound Internet traffic to IP addresses within the DMZ [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.2] High
030012Do not allow any direct connections inbound or outbound for traffic between the Internet and the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protectcardholder data: 1.3.3]
High
030013 Do not allow internal addresses to pass from the Internet into the DMZ [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.4] High
030014 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.5] Low
030015 Implement stateful inspection, also known as dynamic packet filtering [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.6] High
030017 Do not disclose private IP addresses and routing information to unauthorized parties [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.8] High
030021Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards [Original PCI DSS 2.0Reference: Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.2]
Medium
030024 Configure system security parameters to prevent misuse [Original PCI DSS 2.0 Reference: Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.2.3] Medium
030025Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers [Original PCI DSS 2.0 Reference: Requirement 2: Do not use vendor-supplied defaults for systempasswords and other security parameters: 2.2.4]
Compliant
030026Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access [Original PCI DSS 2.0 Reference:Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters: 2.3]
High
030046Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks [Original PCI DSS 2.0 Reference: Requirement 4: Encrypt transmission of cardholder data acrossopen, public networks: 4.1]
High
030048Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.) [Original PCI DSS 2.0 Reference: Requirement 4: Encrypt transmission of cardholder data across open, publicnetworks: 4.2]
Medium
Regulatory Requirement Summary ( 2 out of 4 ) 3
3/96
Id Description Status
030049Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers) [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software orprograms: 5.1]
N/A
030050Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software orprograms: 5.1.1]
High
030051 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software or programs: 5.2] High
030052Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. Install critical security patches within one month of release [Original PCI DSS2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.1]
High
030053 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities [Original PCI DSS 2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.2] Compliant
030076For public-facing web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: 1) Reviewing public-facingweb applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes, 2) Installing a web-application firewall in front of public-facing web applications[Original PCI DSS 2.0 Reference: Requirement 6: Develop and maintain secure systems and applications: 6.6]
Medium
030077Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the restriction of access rights to privileged user IDs to least privileges necessary toperform job responsibilities [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.1]
Low
030078Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the assignment of privileges is based on individual personnel"s job classificationand function [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.2]
Low
030079Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the requirement for a documented approval by authorized parties specifyingrequired privileges [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.3]
Low
030080Limit access to system components and cardholder data to only those individuals whose job requires such access. Access lim itations must include the implementation of an automated access control system [Original PCI DSS 2.0Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.4]
Low
030081Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must includecoverage of all system components [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.1]
Low
030082Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must include theassignment privileges to individuals based on job classification and function [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.2]
Low
Regulatory Requirement Summary ( 3 out of 4 ) 4
4/96
Id Description Status
030083Establish an access control system for systems components with multiple users that restricts access based on a user"s need to know, and is set to "deny all" unless specifically allowed. This access control system must include adefault "deny-all" setting [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.2.3]
Low
030085In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: a) Something you know, such as a password or passphrase, b) Something you have, such as a token device or smart card,c) Something you are, such as a biometric [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.2]
Medium
030086Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties [Original PCI DSS 2.0 Reference: Requirement 8:Assign a unique ID to each person with computer access: 8.3]
Medium
030087 Render all passwords unreadable during transmission and storage on all system components using strong cryptography [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.4] Compliant
030101 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access: 8.5.14] Low
030102If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session [Original PCI DSS 2.0 Reference: Requirement 8: Assign a unique ID to each person with computer access:8.5.15]
High
030117 Send the media by secured courier or other delivery method that can be accurately tracked [Original PCI DSS 2.0 Reference: Requirement 9: Restrict physical access to cardholder data: 9.7.2] Medium
030125Implement automated audit trails for all system components to reconstruct all individual accesses to cardholder data [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.2.1]
Compliant
030126Implement automated audit trails for all system components to reconstruct all actions taken by any individual with root or administrative privileges [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access tonetwork resources and cardholder data: 10.2.2]
Compliant
030127 Implement automated audit trails for all system components to reconstruct access to all audit trails [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.2.3] Compliant
030128Implement automated audit trails for all system components to reconstruct invalid logical access attempts [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.2.4]
Compliant
030129Implement automated audit trails for all system components to reconstruct use of identification and authentication mechanisms [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resourcesand cardholder data: 10.2 5]
Compliant
030130Implement automated audit trails for all system components to reconstruct initialization of the audit logs [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.2.6]
Compliant
030131Implement automated audit trails for all system components to reconstruct creation and deletion of system-level objects [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.2.7]
Compliant
030132Record user identification in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholderdata: 10.3.1]
Compliant
Regulatory Requirement Summary ( 4 out of 4 ) 5
5/96
Id Description Status
030133Record event type in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.3.2]
Compliant
030134Record date and time in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data:10.3.3]
Compliant
030135Record a success or failure indication in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.3.4]
Compliant
030136Record the origination of the event in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources andcardholder data: 10.3.5]
Compliant
030137Record the identity or name of the affected data, system component or resource in the audit trail entries for all system components for all events listed in 10.2.1 - 10.2.7 [Original PCI DSS 2.0 Reference: Requirement 10: Track andmonitor all access to network resources and cardholder data: 10.3.6]
Compliant
030144 Promptly backing up audit trail files to a centralized log server or media that is difficult to alter [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.3] Medium
030145 Write logs for external-facing technologies onto a log server on the internal LAN [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.4] Medium
030146Use file integrity monitoring or change detection software on logs to ensure that existing log data cannot be changed without generating alerts (although new data being added should not cause an alert) [Original PCI DSS 2.0Reference: Requirement 10: Track and monitor all access to network resources and cardholder data: 10.5.5]
Compliant
030148Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (for example, online, archived, or restorable from backup) [Original PCI DSS 2.0 Reference: Requirement 10: Trackand monitor all access to network resources and cardholder data: 10.7]
Medium
030150 Perform quarterly internal vulnerability scans [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.2.1] Medium
030152 Perform internal and external scans after any significant change [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.2.3] Medium
030156Use intrusion detection systems, and/or intrusion prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alertpersonnel to suspected compromises. Keep all intrusion detection and prevention engines, baselines, and signatures up-to-date [Original PCI DSS 2.0 Reference: Requirement 11: Regularly test security systems and processes: 11.4]
High
030170Ensure usage policies for critical technologies require automatic disconnect of sessions for remote access technologies after a specific period of inactivity [Original PCI DSS 2.0 Reference: Requirement 12: Maintain a policy thataddresses information security for all personnel: 12.3.8]
Medium
030192 Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems [Original PCI DSS 2.0 Reference: Requirement 12: Maintain a policy that addresses information security for all personnel: 12.9.5] Compliant
PCI DSS 2.0 - 030007 7
7/96
ID Security Best Practice Blade Status
DLP109 This checks that the DLP policy includes a rule or rules to restrict the sending of PCI - Cardholder data outside the organization. Data Loss Prevention Medium
DLP135 This checks that the DLP policy includes a rule or rules to restrict the sending of PCI - Credit Card Numbers - 5 or more outside the organization. Data Loss Prevention Medium
FW101This checks whether the 'Clean up Rule' is the last row listed in the Firewall Rule Base and is applied to all Gateways. A 'Clean up Rule' is defined as: Source= Any; Destination= Any; VPN= Any Traffic;Service= Any; Action= Drop; Track= log ; Install on= Policy Targets; T ime= Any
Firewall Low
FW146This checks whether an 'Any Any Accept' rule is listed in the Firewall Rule Base and if so, that it is not applied to any Gateway. An 'Any Any accept'' is defined as: Source= Any; Destination= Any;Service= Any; Action= Accept
Firewall Low
ID: 030007
Description: Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protectcardholder data: 1.2.1]
Requirement Details
Status: Low
PCI DSS 2.0 - 030017 16
16/96
ID Security Best Practice Blade Status
FW104 This checks each cluster to ensure that 'Enable extended cluster Anti-Spoofing' is enabled Firewall Secure
FW116 This checks the NAT settings on each Gateway that 'Internal networks are hidden behind the external IP' is selected Firewall High
FW102 This checks defined interfaces for all Gateways to ensure that 'Perform Anti-Spoofing based on interface topology' is enabled Firewall Medium
FW103 This checks defined interfaces for all Gateways to ensure that the Anti-Spoofing action is set to Prevent Firewall Medium
ID: 030017
Description: Do not disclose private IP addresses and routing information to unauthorized parties [Original PCI DSS 2.0 Reference: Requirement 1: Install and maintain a firewall configuration to protect cardholder data: 1.3.8]
Requirement Details
Status: High
PCI DSS 2.0 - 030050 ( 1 out of 3 ) 51
51/96
ID Security Best Practice Blade Status
AB104 This checks that each Gateway is activated according to the profiles defined in the Anti-Bot policy Anti-Bot N/A
AB102 This checks the 'Suspicious Mail Detection' settings in the Anti-Bot blade for each defined Profile, and that 'Inspect first (KB) of email messages' is set to at least 4 KB. Anti-Bot Secure
AB110 This checks whether the 'Low Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' or 'Detect' Anti-Bot Secure
AB109 This checks whether the 'Medium Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' Anti-Bot Secure
AB105 This checks whether the Malware Database in the Anti-Bot blade is being updated automatically. Anti-Bot Secure
AB108 This checks whether the 'High Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Bot blade is set to 'Prevent' Anti-Bot Secure
AB107 This test checks that all Gateways that have the Anti-Bot blade installed have HTTPS Inspection enabled. Anti-Bot Secure
AB106 This checks whether the Malware Database in the Anti-Bot blade is being updated at least every two hours. Anti-Bot Secure
AV117 This checks that each Gateway is activated according to the profiles defined in the Anti-Virus policy Anti-Virus N/A
AV104 This checks whether the HTTP protocol has been enabled in the Anti-Virus settings Anti-Virus Secure
AV106 This checks that the maximum number of levels to be scanned in a MIME email with nested contents is not less than 7 Anti-Virus Secure
AV105 This checks whether the SMTP protocol has been enabled in the Anti-Virus settings Anti-Virus Secure
ID: 030050
Description: Ensure that all anti-virus programs are capable of detecting, removing, and protecting against all known types of malicious software [Original PCI DSS 2.0 Reference: Requirement 5: Use and regularly update anti-virus software or programs: 5.1.1]
Requirement Details
Status: High
PCI DSS 2.0 - 030050 ( 2 out of 3 ) 52
52/96
ID Security Best Practice Blade Status
AV113 This checks whether the Malware Database in the Anti-Bot blade is being updated at least every two hours. Anti-Virus Secure
AV115 This checks that the frequency of automatic updates to the Anti-Virus database is at least every 120 minutes. Anti-Virus Secure
AV112This checks whether the Malware Database in the Anti-Bot blade is being updated automatically. Note that this won't be checked if 'Traditional Anti-Virus' is enabled on all Gateways. In this case the checkwill have an NA status.
Anti-Virus Secure
AV107 This checks that the Anti-Virus blocks files if the number of MIME nesting levels in an email has been exceeded Anti-Virus Secure
AV109 This checks that the Malware DNS Trap is enabled and at least one DNS server is defined. Anti-Virus Secure
AV103 This checks whether the 'Low Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent', 'Ask' or 'Detect' Anti-Virus Secure
AV111 This checks that HTTPS Inspection is enabled all Gateways which Anti Virus blade installed on Anti-Virus Secure
AV101 This checks whether the 'High Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent' Anti-Virus Secure
AV102 This checks whether the 'Medium Confidence' setting in the 'Protection Activation Policy' for each profile in the Anti-Virus blade is set to 'Prevent' Anti-Virus Secure
AV114This test checks that the Anti-Virus database is being automatically updated from the Check Point cloud. Note that this will only be checked if at least one of the Gateways has 'Traditional Anti-Virus' enabled.Otherwise this check will have an NA status.
Anti-Virus Medium
AV108 This checks that Archive scanning in the Anti-Virus settings has been enabled Anti-Virus Low
FW104 This checks each cluster to ensure that 'Enable extended cluster Anti-Spoofing' is enabled Firewall Secure
FW102 This checks defined interfaces for all Gateways to ensure that 'Perform Anti-Spoofing based on interface topology' is enabled Firewall Medium
FW103 This checks defined interfaces for all Gateways to ensure that the Anti-Spoofing action is set to Prevent Firewall Medium
IPS104 This checks that the IPS Policy automatically activates Client Protections for each profile. IPS Secure
IPS102 This checks the IPS Mode for each Profile whether the 'default action for existing protection' is set to Prevent IPS Secure
PCI DSS 2.0 - 030050 ( 3 out of 3 ) 53
53/96
ID Security Best Practice Blade Status
IPS103 This checks that IPS Protections have been activated on each profile in accordance with the IPS policy IPS Secure
IPS106 This checks the severity-based protection settings in the IPS policy for each profile to ensure that protections with a Low severity status are not being activated IPS Secure
IPS110 This checks that the Profile's IPS Policy activates all applicable protections IPS Secure
IPS107 This checks the confidence level-based protection settings in the IPS policy for each profile to ensure that protections with a Low or Medium-Low severity status are not being activated IPS Secure
IPS105 This checks that the IPS Policy automatically activates Server Protections for each profile. IPS Secure
IPS111 This checks all IPS Profiles that the ability to automatically switch all protections to Detect-Only has been disabled IPS Secure
IPS108 This checks each Profile's IPS Policy to ensure that activated protections include those that have a performance impact IPS High
IPS113 This checks that the Protection Scope for the IPS on each Gateway is set to perform IPS inspection on all traffic.Note that the implementation of this recommendation has a Wide Impact. IPS Medium
IPS109 This checks each Profile's IPS Policy to ensure that the activated protections include those that are categorized as Protocol Anomalies IPS Low
IPS114 This checks that the IPS Blade is up to date and that there are no available IPS updates older than three days that have not been downloaded IPS Low
PCI DSS 2.0 - 030077 61
61/96
ID Security Best Practice Blade Status
FW130This checks whether the 'Stealth Rule' is configured in the Firewall Rule Base and is applied to all Gateways. A 'Stealth Rule' is defined as:Source= Any; Destination= GW's ; Service= Any; Action= Drop; Track=log ; Install on= Policy Target ; T ime= Any
Firewall Low
FW146This checks whether an 'Any Any Accept' rule is listed in the Firewall Rule Base and if so, that it is not applied to any Gateway. An 'Any Any accept'' is defined as: Source= Any; Destination= Any; Service= Any;Action= Accept
Firewall Low
FW101This checks whether the 'Clean up Rule' is the last row listed in the Firewall Rule Base and is applied to all Gateways. A 'Clean up Rule' is defined as: Source= Any; Destination= Any; VPN= Any Traffic; Service=Any; Action= Drop; Track= log ; Install on= Policy Targets; T ime= Any
Firewall Low
ID: 030077
Description: Limit access to system components and cardholder data to only those individuals whose job requires such access. Access limitations must include the restriction of access rights to privileged user IDs to least privilegesnecessary to perform job responsibilities [Original PCI DSS 2.0 Reference: Requirement 7: Restrict access to cardholder data by business need to know: 7.1.1]
Requirement Details
Status: Low
PCI DSS 2.0 - 030125 74
74/96
ID Security Best Practice Blade Status
FW122 This checks that all activities of the system administrator and the system operator are logged Firewall Secure
FW105 This checks each Firewall rule to ensure that it has a defined Log setting under the Track option Firewall Secure
FW171 This checks that all Firewall audit trails include the date and time of all logged events Firewall Secure
ID: 030125
Description: Implement automated audit trails for all system components to reconstruct all individual accesses to cardholder data [Original PCI DSS 2.0 Reference: Requirement 10: Track and monitor all access to networkresources and cardholder data: 10.2.1]
Requirement Details
Status: Compliant