I have had a couple of discussions recently regarding what constitutes good network segmentation. Apparently, my original post was just too cryptic, so I’m going to use some examples in this post to hopefully clarify where people are going wrong.
The PCI DSS gives very little guidance on network segmentation. In fact, the only statement near a definition says. “Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network.” But those are the mechanics of network segmentation. This definition does not specify or illuminate the additional controls required to ensure segmentation which is why I wrote the original post.
In my first example, the network in question is segmented by VLANs. The cardholder data environment (CDE) is contained in one VLAN and there are another eight VLANs defined. All VLANs are internal and none face the Internet. Access control lists (ACL) have been implemented to control the communications between the various VLANs and the CDE VLAN. Monitoring of all of the VLANs has been implemented through a variety of methods including network monitors, host monitors and system/event log monitoring and analysis. Network administrators monitor consoles that bring up any critical alerts that could indicate a potential attack or compromise. This definition sounds pretty good does it not? The problem is that it is all in the details and the details tell a different story.
In reviewing the VLANs’ ACLs we determined that two of the VLANs have TCP and UDP ports 1 through 65535 open to the CDE VLAN. Whoa! Every port is open to the CDE VLAN from these two VLANs? Yes, that is correct. This is not what the PCI SSC thought was “strong access control lists.” In digging further, we inquire as to why this condition exists. We are told that, ”We were unable to determine what the applications needed to have open between these VLANs, so rather than break anything, we just opened everything to be safe.” To be safe? Safe is a term that has different meanings relative to each person’s view that uses it. In this case, because the two VLANs were internal, apparently the other VLANs were considered also ‘safe’.
But a lot of network administrators would point to the monitoring as the way they control things. Are you serious? I do not care how much monitoring you do. With every port open, that monitoring is going to likely generate enough false positives to make identifying the real threats like finding a needle in a haystack. And this was confirmed later on when we observed the network administrators that monitor the network. They were ignoring almost everything that came up on their screens. When we questioned them about this, they said, “We have tried to tune the alerts, but have not been able to significantly reduce the false positives. We get around 10,000 to 25,000 alerts a day. So we do the best we can to find the real threats.” The best we can? Security is not forgiving, let alone for people that are doing ‘the best they can’.
The moral of this example is that if you have every port or close to every port open, you cannot consider your network properly segmented. I do not care what the other controls are that you believe are in place. You have to be realistic. And justifying having all of those ports open has to be more than implying you were too lazy and did not want to make the effort to find the real answers.
My other example involves a network that does have a limited number of ports open between their CDE VLAN and their other VLANs, albeit there are quite a few open ports. They also have monitoring in place and their network administrators are very diligent in ensuring that alerts are addressed as quickly as possible. Unlike my first example, these folks are seeing around 300 to 500 alerts of which 10% to 15% are false positives. The problem is with their documentation. In reviewing the firewall rules that segment the VLANs we documented all of the ports open to/from the CDE VLAN to the other VLANs. We interviewed the Manager of their network management and administration department and inquired as to the business reason for each of the open ports. Of the 100 or so ports defined in the ACLs, they can only give us business reasons for about 20% of them. Heaven forbid they should document the reason in the configuration file, but there is no other documentation available. The Manager even tries to find documentation in the help desk system where they log all of their changes, but even after refining the search criteria, there are just too many records to sift through in our one hour meeting to find what we need. Not even proof that management knows that these ports are open, the risks that are involved with these ports being open and that management approved that these ports be opened.
The moral here is that documentation is the foundation from which you build. If you have a shaky foundation, you will have shaky security and are likely a candidate for a compromise and breach. This is why documentation is important. If you cannot remember why ports were opened, users were allowed access to data and other security relevant issues, how can you even think you are secure? The answer is you cannot be secure if you cannot answer basic questions.
But it gets better. This same individual earlier in our meeting had confirmed that they were the one that reviewed the firewall rules quarterly and showed us emails to prove that fact. Then as we are going through the CDE ACLs, they say, “Oh, that rule should be removed. It was for a business partner that we have not done business with in more than four years.” Now, do you think I seriously believe that you are really reviewing these firewall rules quarterly when you admit that a given rule should have been removed four years ago? We document four more firewall rules that should have been changed or removed. It is situations like this that cause a QSA to shudder and then wonder what other ugly things are under the rocks and just how far you need or want to dig to find them.
Our moral here is telling the QSA what they want to hear when you know you will have to contradict yourself later on. All it does is make you look incompetent. But this situation also points out a good point regarding the duties of a QSA in conducting their assessment. QSAs not only rely on interviews and documentation, they also rely on observations to ensure that organizations not only talk the talk but also walk the walk.
So what then is proper network segmentation? A properly segmented network is much more than just technology.
The foundation of a properly segmented network starts with the control triad of preventative, detective and corrective controls. Preventative network controls are going to be firewall rules and VLAN ACLs and any other controls that prevent or control access. Detective network controls are going to be related to the monitoring you implement. Monitoring can be real time and/or log analysis after the fact, but it should not be limited to just access to/from the CDE. Monitoring also needs to include monitoring the network traffic for anomalous traffic. Finally, you need corrective controls to ensure that any issues discovered with the preventative and detective controls are addressed as soon as possible. Corrective controls are usually generated as action items created from such things as the lessons learned from an incident response plan or findings from an audit.
Once you have decided on the controls you will implement, you then need to create documentation that supports those controls. For networks, the documentation that is key is to document every port that is open inbound to or outbound from the CDE environment. Each of those ports will have been formally approved by management with the risk presented by having the port open. And that risk analysis needs to include not just the port in question, but any other relevant ports, if necessary, as certain combinations of ports may increase or decrease the risk. This risk analysis is important for a number of reasons. First, it documents the basic analysis of risk and provides the rationale for having made a decision at that time. That documentation can also save you if a breach occurs as you can understand what the people were thinking when they originally opened the port and also understand potential methods that might have been used to cause the breach. This documentation is also important for the quarterly reviews as you can use the documentation to refresh your memory as well as assisting you in making changes to the rules if business conditions change. Yes, I know firsthand that documentation is the last thing anyone wants to do. But without it I will guarantee you will not remember six months or more down the road why you did what you did and for whom. And in the security business, it is that sort of knowledge that can mean the difference between being secure and being a target.
The next item that needs to be documented is the users, programs, services and organizations that have access to the CDE. In the case of programs and services, this should be tied to the aforementioned list of ports open. In a breach, this documentation will reduce the number of likely suspects of where the breach came from. As a result, you can see why it is important to limit the number of people, programs and organizations that have access to the CDE.
The final piece of documentation that needs to exist is what should be done in the event a problem or an alert is generated. If people do not know what their responsibilities are in regards to providing feedback, then alerts will be missed or ignored and problems may not be addressed as quickly as they should. Responses to problems or alerts should include detail regarding the conditions that created the problem or alert, the steps take to address the problem or alert and any issues that may have resulted from addressing the problem or alert. If the problem or alert is not addressed in the timeframe required, there needs to be an escalation process so that the problem or alert receive the necessary visibility of management should they go unaddressed.
I hope this provides the additional examples of network segmentation.
Thanks! As I am new to PCI these blogs are helpful for me
Good questions and understandable answers, good stuff. Thanks all.
So would you consider a vlan that goes to a seperate mpls VPN and then to the Internet (guest wireless access for example) out of scope as there is no connectivity to cde it is only segmented by a vlan tag, vrf lite and an mpls vpn and hence there is no firewall between this network and cde as there is no connectivity required. I would call it virtually air gapped.
As long as your QSA can prove that the wireless VLAN NEVER comes into contact with the CDE, then it is out of scope.
I would love to see you do a post on the “Redirect” style of online credit card processing. NMI calls it “Transparent Redirect” (and has a newer “3-Step Redirect”), EZIC does this (but doesn’t really have a name for it yet), and Authorizenet just came out with their Direct Post Method.
In your view, what is the impact on the merchant’s PCI burden?
Even within the industry, there is serious confusion about whether this takes merchants out of scope.
We are also going through PCI compliance. The people that are informing us of what needs to be done are not the best and I have learned more from researching on the Internet.
Currently we have customer service reps that take orders over the phone and enter the credit card number’s into the website. Would you think this make these desktop machines “in-scope”? They are telling us to filter all traffic in and out of these desktop VLAN’s, which as you can imagine is rather difficult, see as there are countless desktop services used for AV and Patching among others.
I am eager to know what you think, Thanks.
Yes, your desktop systems are in-scope. Think about where the risk is. If any of those desktop machines are compromised, the data that they enter as well as potentially the data in the Web site is compromised. As a result, you need to protect those desktops and control access to them both physically and logically.
This is one of the biggest issues we run into doing assessments. The organization outsources everything but still does the data entry through a Web interface. While this does potentially shrink the amount of devices in-scope, it does not take you out of scope. The PCI DSS says that anything that processes, stores or transmits cardholder data is in-scope. Your desktops definitely transmit cardholder data, but depending on how the Web applications are built, the desktops could also process and even store cardholder data. We have seen instances where Web applications were inadvertently storing cardholder data due to the use of wrong programming methods, so just because you use the Web, does not get you off the hook.
Regarding desktop PCs being in scope, our QSA told us that this only applies when the person/people who use the desktop have access to more than one card number at a time. For example, if a rep takes an order and enters only the card number they have received as part of the sale and cannot lookup other card numbers, then he and the system used are not in scope. Have you come across this before? I would like to know your thoughts as I’m sure it applies to many people who are defining scope.
Sorry I didn’t make that clear in my post. However, if your desktops are not properly segmented from the cardholder data environment (CDE), then they are in scope and must comply with the PCI DSS. What we see out in the field is call centers that have PCs directly tapping into the CDE with no network segmentation.
Would installing and correctly configuring a persaonl firewall and IPS on the desktop segement them out from rest of the network? Going back to the point steve made below- we have call center desktops that take one credit card number at a time and process them using secure connection to the card processor website and we don’t store any credit card data on our systems -so should these desktops be in-scope?
The desktops are an endpoint and are at risk. Therefore, you need to ensure that these endpoints cannot become the breach point. That said, personal firewalls, IPS AND having them write all of their log data to a centralized log analysis system that monitors them for attempted compromise would be what I would recommend.
So the desktops are still in-scope – regardless of handling one credit card number at a time or having access to more than 1 credit card numbers.
They are still cardholder data entry points and are at risk of compromise. They may only come into contact with PANs one at a time, but over the course of a day, they can enter 100s and that is enough of a target for someone installing a keyboard logger or similar data capture solution. As a result, they need to be protected. This is no different than credit card terminals and integrated POS. Those also have to be protected.
Great – thank you for the confirmation. Also, i have heard this rumor that let say we get the credit card data and let say we permanently delete the card number after it has been processed. Since the card data has been deleted the system is no longer in the scope for PCI DSS. Can you please comment on that?
It’s the “permanent deletion” part that will get you in trouble. Most database management systems like Oracle, DB2, SQL Server, etc. do not really support good permanent deletion capabilities that meet US Department of Defense secure deletion standards (the standard most security professionals hold up as the most secure). As a result, an organization has to develop their own and, depending on the DBMS, that can get tricky. However, until that deletion occurs, the system retains cardholder data, so it still remains in scope for assessment.
I am sort of new to PCI compliance myself, i did attend a seminar in Toronto in June 2010, however i left with more questions than when i entered the room!
Our setup is basically 2 load balancers in front of all servers, all traffic goes through these load balancers that also act as our firewall. All servers behind are NATed via these load balancers. Now our CDE can be accessed only via the internal network, not from outside, IE all web servers talk to DB servers on local LAN subnet, not on public subnet… Is this considered segmented? or should i also create an internal VLAN for the CDE? All servers run iptables and allow only the ports and other servers that need to communicate with each other. How much farther do i need to go to pass PCI compliance with respect to this type of segmentation?
Thanks in advance for any help…
Have a great day!
Hi Rob,
I’m quite worried that you use a load balancer as a firewall on the public edge of your network. And if a public web application has e.g. an SQL Injection vulnerability, then your data in the DB can be pulled out. It’s not just about Network segmentation, you must think security as a whole.
I am a QSA and do not currently personally have a network that I manage. However, you are right that security needs to be thought of holistically, not just in static instances.
Am I inferring correctly that you’d accept network segmentation to consist of separate VLANs with properly documented and restrictive ACLs between them, even without a traditionally-named “firewall” involved? My interpretation (and that of my QSA) has been that a firewall specifically needs to be involved.
If your answer is yes, note that I’m not going to use that as some proof to my own QSA to change their thinking…I’m quite aware that QSAs differ; that’s life!
I’m just curious about your viewpoint.
First, I was talking about an internal network, not an externally facing network. I always recommend firewalls for anything externally facing.
That said, I guess being a former network administrator, I toss it back to you – what does a firewall provide in addition that ACLs in the switch do not? Properly configured, a switch these days can do all of the alerting that a firewall would provide. The key though in using only ACLs is that you also need to have network monitoring (NIDS/NIPS) turned up aggressively so that you are monitoring both sides of the switch in question and alerting on any spurious traffic. However, that is already a requirement of the PCI DSS.
That said, there will still be situations where stateful packet inspection is needed even internally. In those instances you can either go with the firewall feature set or another interface on your firewall.
Bit of a PCI newb, but I have a question I have researched around a bit and can’t find a straight answer…or responses differ.
Assuming my external firewall passes the PCI external testing am I sufficiently NETWORK SEGMENTING my lan users from my Debit machine? We don’t store cardholder data at all…we only use debit machines. Also, would it be enought to simplay have different subnets for the lan vs debit machine subnet…no VLAN’s in otherwords just subnets?
Greg
Anything that separates, provides controls that limit access in and out of the cardholder data environment (CDE) and that you can monitor provides proper network segmentation.
Separate subnets will provide that as long as there is a firewall or router that has ACLs controlling the flow of users and traffic in and out of the subnet. You also need monitoring from an IDS/IPS or other network monitoring solution so that should anomalous traffic or users be detected, an alert can be generated and investigated. However, just implementing subnets, VLANs or similar solutions without the controls and/or monitoring will not be sufficient.
What do you mean by ACL on a switch ? Unless it’s a layer 3 switch, which makes it a router I don’t see how ACL could be implemented right ?
And that triggers another question, would a CDE VLAN and other VLANs sharing the SAME physical switch be considered enough segmentation providing that traffic between the two is controlled (firewall or router ACL, and IDS) ?
Thanks, your blog is a priceless resource for my PCI project.
Clipper
ACLs can operate at either layer 2 or layer 3 depending on how you define and use them. But you are right, ACLs are typically associated with layer 3 devices which are most typically routers.
VLANs on the same device being segmented depends on the controls between the VLANS and who or what have access between them.