Comments on: Network Segmentation

By: Network Segmentation – Take 2 « PCI Guru

Network Segmentation – Take 2 « PCI Guru — Sat, 06 Mar 2010 12:24:20 +0000

[...] recently regarding what constitutes good network segmentation. Apparently, my original post was just too cryptic, so I’m going to use some examples in this post to hopefully clarify where [...]

By: PCIGuru

PCIGuru — Wed, 10 Jun 2009 23:51:48 +0000

Encryption such as with a VPN is also a form of network segmentation. Another possible solution is Kerberos which can create encrypted communications between devices and processes if properly configured.

By: Johnson Yenu

Johnson Yenu — Tue, 09 Jun 2009 09:32:53 +0000

The network segmentation aims to create a trust boundary between payment systems and non-payment systems. What if this is done at a non-network level, e.g. with encryption, where non-payments systems cannot get hold of the decryption keys unless they compromise the thing doing the encryption, in which case the game is up, much like if the firewall is compromised in the network segregation example.

For e.g. if there is a DB doing DB-level encryption of data, with a per-DB encryption key, using public-private pairs managed by an Active Directory domain. A compromise of one server will not reveal the data unless the DB is also compromised, which will mean the machine will need to be compromised at an administrator level, and even then that compromise will not allow the other DB’s to be owned unless the domain admin account is compromised. Thus, there is a ‘trust boundary’ between payment systems and connected systems. Would that count as descoping?

Thanks,
Johnson

By: QSA Consistency « PCI Guru

QSA Consistency « PCI Guru — Sat, 11 Apr 2009 13:52:09 +0000

[...] segmentation is another area that is up for interpretation. I have stated in my Network Segmentation post that, “I know good network segmentation when I see it.” However, from class this week, [...]