To paraphrase Supreme Court Justice Potter Stewart, “I know good network segmentation when I see it.”
There doesn’t seem to be a more discussed topic in the PCI compliance space than network segmentation. Why is this such a discussed topic? Because there are as many potential solutions as there are network equipment vendors. So each implementation needs to be assessed on its own individual merits.
Why is network segmentation important? For most organizations, it can mean the difference from a straightforward, relatively simple PCI assessment or a nightmare. If an organization’s network is properly segmented and their PCI assets are physically or logically segregated from non-PCI assets, then the scope of a PCI assessment can be reduced. This can take 50% or more of the organization’s network out of scope.
But what constitutes good network segmentation? Here are the key concepts that I look for when assessing the segmentation of a network for PCI.
- How is network traffic controlled? The key here is the ‘how’. By controlled, I’m looking for controls that physically or logically isolate PCI in-scope systems from out-of-scope systems. Those controls can be the use of firewalls, virtual LANs (VLAN), totally separate networks and everything in between. The most common techniques we see are firewalls or VLANs. However, you segregate your networks, there needs to be access control lists (ACL), port/service restrictions or other controls put into place to limit and/or restrict access from the in-scope network to the not-in-scope network.
- How is network traffic monitored? The key here is usually whether or not the network is monitored. While good controls are a great start, if you are not monitoring those controls, then anything could be going on and you will not know it until it escalates into a bigger problem. What I look for is the ability to generate alerts when unauthorized traffic is blocked or detected.
- What happens when an alert is generated? If you have controls and monitoring in place, what do you do when an alert occurs is key. If you do not have an incident response process for an alert, then nine times out of ten, the alert just gets ignored. Alert response process needs to identify the alert and then have a detailed process of how to diagnose whether the alert is real or a false positive. Either way, there should be documentation generated that proves the process was followed and the actions taken as a result.
- Who has access to these network devices? Finally, what you have done to limit access to the network devices is the last key item to be considered. The first three considerations are moot if anyone can go in and make changes to these devices. So, the final area I look for is how access to these devices is controlled and how access is monitored.
While these are the key concepts I look for, there are nuances in each area that bring in other considerations. So, here are your starting points for network segmentation.
PCI Guru 
Hi there,
I would like to seek your advise on the following.
We have a flat network structure, and we separate our “CDE” with a router, as shown in (https://imgur.com/a/IrzC6).
Do does the PCI scope still includes the whole network or is it just that portion separated by router 2?
Thank you.
Best regards,
Edwin
It depends on the firewall rules at the firewall off of ISP1.
The network segmentation aims to create a trust boundary between payment systems and non-payment systems. What if this is done at a non-network level, e.g. with encryption, where non-payments systems cannot get hold of the decryption keys unless they compromise the thing doing the encryption, in which case the game is up, much like if the firewall is compromised in the network segregation example.
For e.g. if there is a DB doing DB-level encryption of data, with a per-DB encryption key, using public-private pairs managed by an Active Directory domain. A compromise of one server will not reveal the data unless the DB is also compromised, which will mean the machine will need to be compromised at an administrator level, and even then that compromise will not allow the other DB’s to be owned unless the domain admin account is compromised. Thus, there is a ‘trust boundary’ between payment systems and connected systems. Would that count as descoping?
Thanks,
Johnson
Encryption such as with a VPN is also a form of network segmentation. Another possible solution is Kerberos which can create encrypted communications between devices and processes if properly configured.