The Three Hop Rule

At the 2014 Community Meeting, the PCI SSC responded to a question about network segmentation with what has come to be termed the “Three Hop Rule”.  The statement was made that if a device/system was “three hops or more” away from the cardholder data environment (CDE), then it was out of scope.  A lot of us in the room were taken aback by this statement.  And based on some questions of late regarding this subject, there is a lot of confusion out there regarding what the Council was trying to say.

First, the term “hop” is not a network security term nor does it even have any security implications.  The term “hop” is defined as:

“Data packets pass through routers and gateways on the way.  Each time packets are passed to the next device, a hop occurs.”

The count of three therefore is the number of hops or “hop count” between devices.  Hop count is defined as:

“Each router along the data path constitutes a hop, as the data is moved from one Layer 3 network to another.  Hop count is therefore a basic measurement of distance in a network.”

Nowhere in these definitions is there any statement about hops, the number of hops between devices and any correlation of hops and hop count as some form of security.  Hence why a lot of us were really concerned about this statement and likely why there is so much confusion and discussion resulting from the comment.

What we believe the Council was getting at was the number of network segments there are between a device/system and the CDE.  However, having three network layers between the CDE and devices/systems is also no guarantee of security.

What provides security at Layer 3 are the access control lists (ACL) or rules that allow or deny packets to traverse particular paths of the network.  ACLs can be implemented to control what devices and/or ports and services can communicate between various networks.  But just because there are ACLs implemented at each hop is also no guarantee that the number of hops between devices also secure the devices.

This is why the requirements in requirement 1 of the PCI DSS require that the QSA review all relevant ACLs to ensure that the network is truly segmented.  It is also why in v3, requirement 11.3 requires that the penetration testing also prove that the network is truly segmented.  As a result, the number of hops between the CDE and a device should not be considered a guarantee and never will be a guarantee that a device is out of scope.

The bottom line is that, in order to be truly out of scope, there needs to be ZERO hops between a device and the CDE.


9 Responses to “The Three Hop Rule”

  1. 1 Pete C
    January 9, 2015 at 1:08 PM

    My take was that they incorrectly and casually used the term “hop” in a very colloquial way rather than technical. A poor choice to an industry of people who deal in technical details. My understanding of their intent was that systems that connect to systems that store, process or transmit CHD are also in scope because any compromise of the connected system stands to impact the security of the systems directly touching CHD.

    Now you bring a third environment into play: 1) core systems directly handling CHD; 2) system connected to some component in #1; 3) system connected to #2 but not to #1…

    The theory is that you have to draw the line somewhere, and apparently (for now) the Council is saying that if you have to compromise two machines before you get to the ‘actual’ CDE, then the outermost component isn’t in scope.

    I’m not saying I necessarily agree or fully understand their thinking. Nor am I saying that having to make two compromises suddenly makes it too difficult for attackers and thus provides any measure of security. I’m simply trying to restate their case without tying it to OSI layers and actual network hops.

  2. 3 Danilo Ubaid
    January 9, 2015 at 12:57 PM

    I think that the “three hop rule” refer to a system, not network hop or vlan segments. Referencing the hop like a system, this rule make sense, since if a system X need to go through another system to access the CDE environment (the third hop), them this system X are out of scope.

    • January 10, 2015 at 8:03 AM

      The problem was the use of the term “hop”. It is a networking term, not a security term and should have never been used even as an example. We can argue “ad nausiem” over what they were trying to get across. But at the end of the day, the terminology and example were wrong.

      • 5 Danilo Ubaid
        January 10, 2015 at 8:54 AM

        I didn’t listen the PCI SSC full anwser, but i can’t find anywhere that he said the three network hop. For technical guys that work with network, when listen “hop”, the first thing that comes to mind is network hop, but for other people, hop is just a hop, not a network or a security term. (http://en.wikipedia.org/wiki/Hop).

      • January 11, 2015 at 8:24 AM

        It was an answer to a question delivered at one of the open forums on the last day of the Community Meeting, so it wasn’t on any slides.

        Using the term “hop” in a security context is dangerous because of the multiple connotations it brings with it. Let alone the fact that “hop” has nothing to do with security to begin with. It’s all about connectivity. There could be one hop or 20 hops between network segments. But if there is still connectivity to the CDE over all of those “hops”, then the number of “hops” really is irrelevant.

  3. 7 peter cooper
    January 5, 2015 at 2:46 PM

    I thought the guidance had always been that something was in scope if it could affect the security within the CDE. From that perspective, hops would be irrelevant. Otherwise you could just use a bunch of routers to de-scope!

    • January 6, 2015 at 6:51 AM

      Exactly! Hence why a lot of us that have been in the PCI compliance business were confused by the comment and why I felt the need to debunk it before it too gets out of control in the wild. Much like those P.O.S. “Certificates of PCI Compliance” that certain QSACs issue that are worthless, but still turn up as proof of compliance for service providers. The Attestation Of Compliance (AOC) has always been the only official proof of PCI compliance, yet those worthless certificates just keep on being produced and sent to companies as proof of PCI compliance.

  4. January 5, 2015 at 12:40 PM

    “Three hop rule”. This is “much too silly”. Indeed it’s ridiculous! There can be many hops within a single security zone.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

January 2015

%d bloggers like this: