To paraphrase Supreme Court Justice Potter Stewart, “I know good network segmentation when I see it.”
There doesn’t seem to be a more discussed topic in the PCI compliance space than network segmentation. Why is this such a discussed topic? Because there are as many potential solutions as there are network equipment vendors. So each implementation needs to be assessed on its own individual merits.
Why is network segmentation important? For most organizations, it can mean the difference from a straightforward, relatively simple PCI assessment or a nightmare. If an organization’s network is properly segmented and their PCI assets are physically or logically segregated from non-PCI assets, then the scope of a PCI assessment can be reduced. This can take 50% or more of the organization’s network out of scope.
But what constitutes good network segmentation? Here are the key concepts that I look for when assessing the segmentation of a network for PCI.
- How is network traffic controlled? The key here is the ‘how’. By controlled, I’m looking for controls that physically or logically isolate PCI in-scope systems from out-of-scope systems. Those controls can be the use of firewalls, virtual LANs (VLAN), totally separate networks and everything in between. The most common techniques we see are firewalls or VLANs. However, you segregate your networks, there needs to be access control lists (ACL), port/service restrictions or other controls put into place to limit and/or restrict access from the in-scope network to the not-in-scope network.
- How is network traffic monitored? The key here is usually whether or not the network is monitored. While good controls are a great start, if you are not monitoring those controls, then anything could be going on and you will not know it until it escalates into a bigger problem. What I look for is the ability to generate alerts when unauthorized traffic is blocked or detected.
- What happens when an alert is generated? If you have controls and monitoring in place, what do you do when an alert occurs is key. If you do not have an incident response process for an alert, then nine times out of ten, the alert just gets ignored. Alert response process needs to identify the alert and then have a detailed process of how to diagnose whether the alert is real or a false positive. Either way, there should be documentation generated that proves the process was followed and the actions taken as a result.
- Who has access to these network devices? Finally, what you have done to limit access to the network devices is the last key item to be considered. The first three considerations are moot if anyone can go in and make changes to these devices. So, the final area I look for is how access to these devices is controlled and how access is monitored.
While these are the key concepts I look for, there are nuances in each area that bring in other considerations. So, here are your starting points for network segmentation.