Network Segmentation

To paraphrase Supreme Court Justice Potter Stewart, “I know good network segmentation when I see it.”
There doesn’t seem to be a more discussed topic in the PCI compliance space than network segmentation.  Why is this such a discussed topic?  Because there are as many potential solutions as there are network equipment vendors.  So each implementation needs to be assessed on its own individual merits.
Why is network segmentation important?  For most organizations, it can mean the difference from a straightforward, relatively simple PCI assessment or a nightmare.  If an organization’s network is properly segmented and their PCI assets are physically or logically segregated from non-PCI assets, then the scope of a PCI assessment can be reduced.  This can take 50% or more of the organization’s network out of scope.
But what constitutes good network segmentation?  Here are the key concepts that I look for when assessing the segmentation of a network for PCI.

  • How is network traffic controlled?  The key here is the ‘how’.  By controlled, I’m looking for controls that physically or logically isolate PCI in-scope systems from out-of-scope systems.  Those controls can be the use of firewalls, virtual LANs (VLAN), totally separate networks and everything in between.  The most common techniques we see are firewalls or VLANs.  However, you segregate your networks, there needs to be access control lists (ACL), port/service restrictions or other controls put into place to limit and/or restrict access from the in-scope network to the not-in-scope network.
  • How is network traffic monitored?  The key here is usually whether or not the network is monitored.  While good controls are a great start, if you are not monitoring those controls, then anything could be going on and you will not know it until it escalates into a bigger problem.  What I look for is the ability to generate alerts when unauthorized traffic is blocked or detected.
  • What happens when an alert is generated?  If you have controls and monitoring in place, what do you do when an alert occurs is key.  If you do not have an incident response process for an alert, then nine times out of ten, the alert just gets ignored.  Alert response process needs to identify the alert and then have a detailed process of how to diagnose whether the alert is real or a false positive.  Either way, there should be documentation generated that proves the process was followed and the actions taken as a result.
  • Who has access to these network devices?  Finally, what you have done to limit access to the network devices is the last key item to be considered.  The first three considerations are moot if anyone can go in and make changes to these devices.  So, the final area I look for is how access to these devices is controlled and how access is monitored.

While these are the key concepts I look for, there are nuances in each area that bring in other considerations.  So, here are your starting points for network segmentation.


6 Responses to “Network Segmentation”

  1. December 12, 2017 at 10:44 PM

    Hi there,
    I would like to seek your advise on the following.
    We have a flat network structure, and we separate our “CDE” with a router, as shown in (https://imgur.com/a/IrzC6).

    Do does the PCI scope still includes the whole network or is it just that portion separated by router 2?

    Thank you.

    Best regards,

  2. June 9, 2009 at 3:32 AM

    The network segmentation aims to create a trust boundary between payment systems and non-payment systems. What if this is done at a non-network level, e.g. with encryption, where non-payments systems cannot get hold of the decryption keys unless they compromise the thing doing the encryption, in which case the game is up, much like if the firewall is compromised in the network segregation example.

    For e.g. if there is a DB doing DB-level encryption of data, with a per-DB encryption key, using public-private pairs managed by an Active Directory domain. A compromise of one server will not reveal the data unless the DB is also compromised, which will mean the machine will need to be compromised at an administrator level, and even then that compromise will not allow the other DB’s to be owned unless the domain admin account is compromised. Thus, there is a ‘trust boundary’ between payment systems and connected systems. Would that count as descoping?


    • June 10, 2009 at 5:51 PM

      Encryption such as with a VPN is also a form of network segmentation. Another possible solution is Kerberos which can create encrypted communications between devices and processes if properly configured.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

February 2009

%d bloggers like this: