As part of penetration testing, merchants and service providers are required to test that their network segmentation is properly implemented and functioning. Sounds like a simple enough task, but you would be amazed at the bizarre and complicated discussions that QSAs encounter when segmentation testing comes up.
As a reminder, requirement 11.3.4 states:
“If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.”
For service providers, requirement 11.3.4.1 adds in the requirement of testing at least every six months or any changes to network segmentation, not just “significant changes”.
Regardless of whether you are a merchant or a service provider, how segmentation testing is performed is the same.
So why all of the issues?
First, the PCI DSS does us no favors with the “guidance” for requirement 11.3.4 which states:
“Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.”
The first point of confusion typically relates to the phrase “penetration testing” as though segmentation testing somehow requires the use of a penetration testing tool such as Metasploit or similar to conduct the segmentation testing. Nothing could be further from the truth. But the terminology of “penetration testing” clouds the task.
The second point that seems to confuse is the last sentence that starts out with “For example …”. People seem to miss that start of the sentence and take it that all they have to do is make sure that out of scope devices cannot get to the CDE and that is it. While network segmentation testing is simple, it is not quite that simple.
What Is Segmentation Testing?
After going through the debunking of all of the mythology and rumors surrounding network segmentation testing, this is the first question asked. I always take people back to what the purpose of network segmentation testing is – to prove network segmentation is implemented and is functioning as designed to keep the various networks logically separated.
When I say, “various networks”, I am referring to the network segments defined in the information supplement “Guidance for PCI DSS Scoping and Network Segmentation” issued in May 2017. In that document, the following terminology is used.
- CDE Systems – any systems/devices that directly process, store or transmit sensitive authentication data (SAD) or cardholder data (CHD) or are directly connected to such systems/devices. These systems/devices are also sometimes referred to as Tier 1 or Category 1.
- Connected To or Security Impacting Systems – are systems that provide services to the CDE or have connections to systems/devices in the CDE that could adversely affect the security of the systems/devices in the CDE. These systems/devices can also be referred to as “Shared Services”, Tier 2 or Category 2.
- Out of Scope Systems – are systems that cannot connect to the CDE also referred to as Tier 3 or Category 3.
For PCI compliance, all CDE Systems (Category 1) and Connected To (Category 2) systems are always in scope. However, for network segmentation testing, Category 3 systems/devices are also included because the testing must prove that Category 3 cannot get to Category 1 and vice versa. That is typically were network segmentation testing goes wrong is that it only proves that Category 3 cannot get to Category 1 and then stops. The guidance for requirement 11.3.4 provides some clarity in the second sentence which states:
“The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE.”
The Council has advised that what they want is testing from inside and outside the CDE as well as from other network segments including the internet if applicable. The idea is to further support the analysis and findings from a QSA’s review of the firewall rules from the requirements in 1.3.x of the PCI DSS. The reason for this is that with some breaches and the advent of “next generation” firewalls and more sophisticated security technologies, the Council felt that assessed organizations and QSAs were not necessarily proving that network segmentation was truly in place and wanted some additional testing and confirmation.
How Do I Test?
First and foremost, timing of the testing is very important. For merchants, it should be conducted as close to annually as possible, For service providers, they are required to be conducted as close to every six months as possible. But you also need to consider the concept of “significant change”. If there have been significant changes that affected network segmentation, then the network segmentation testing must be done as soon as possible (the Council typically recommends a maximum of 30 days) after the significant change has been implemented.
While the tool used to conduct the test can be as simple as Nmap or the like, the testing itself can be complicated depending on how your network is segmented. I have clients that have hundreds of segments that results in a very time-consuming amount of testing. The key here is to be thorough, but not insanely thorough.
I have no problem with network segmentation testing including a review of firewall and ACL rules and using that information to test for example from a particular network segment into another because the rules are the same for all the network segments being tested to support a particular rule. The key is to be able to justify why you picked one segment over another and not repeatedly test from only one segment for every test. Provide the rules with an explanation of your justification for what you did. This will allow the QSA to understand how you worked and why.
But Nmap is not the only tool that can be used. There are a number of network management/modelling/monitoring tools such as FireMon, Tufin and RedSeal that can also be used to prove out network segmentation. In fact, these tools can provide ways to perform the network segmentation testing that do not need to involve scanning the network and merely running reports against the databases created by these tools.
Regardless of the tool used, be careful. I have seen too many reports where the tools did not go to the devices within the network segment and the results did not necessarily prove segmentation is in place and functioning because when matched up to the server configuration it showed other forms of communication.
Segmentation Testing Reporting Requirements
Once you have completed your network segmentation testing, you need to create a proper report of those results. At a minimum, a network segmentation testing report should have the following sections.
- A one to two page (at most) Executive Summary of the network segmentation test, the date the testing was started, the date when testing was completed, the results (i.e., pass or fail) and a summary of all findings and recommendations.
- Document who conducted the test including a bit of background as to why they are considered capable of conducting the test by including any information security certifications they hold and other relevant information security experience.
- Provide the reader a frame of reference for the testing performed. At a minimum, this should include a high-level diagram of the various segments (i.e., CDE, Connected To and Out of Scope) and an overview of the IP addressing within each of those segments.
- Document and discuss any significant changes that occurred since the last network segmentation test and what was done to prove that significant changes did or did not occur since the last segmentation test. This is necessary to confirm to the QSA and other readers that you are not just following some predefined schedule (i.e., annually or semi-annually) but are also ensuring that significant changes also potentially drive segmentation testing as required in by the PCI DSS.
- Document the methodology that was followed and the tools that were used to prove out network segmentation. What is needed in this section is specificity. Document step by step, in enough detail that someone else could conduct the testing, what you did to prove network segmentation was in place and functioning as expected.
- Document any findings and recommendations that result from the network segmentation testing particularly those findings that prove the network is not segmented as expected resulting in a failed test. If segmentation is not in place, then you will need to remediate those findings and retest to prove that the remediation was successful. If retesting is required, you need to keep all reports so that you have a record of everything that has been tested.
PCI Guru 
“But Nmap is not the only tool that can be used. There are a number of network management/modelling/monitoring tools such as FireMon, Tufin and RedSeal that can also be used to prove out network segmentation. In fact, these tools can provide ways to perform the network segmentation testing that do not need to involve scanning the network and merely running reports against the databases created by these tools.”
How could you achieve this? We are thinking of purchasing FireMon for the firewall auditing capabilities but it would be great if we can use it for the network segmentation requirement as well. How can it be used to generate a PCI network segmentation test ?
Firemon has the ability to ingest all of the configurations of the devices that create your network. It then uses that information to create a virtual network that can then be tested without actually using the network. Talk to your Firemon technical personnel to get more.
Can you explain how to do a segmentation test? Step by step? I need to test my internal network but I don’t know how.
I will write up a post as this editor is not a good place to try and document the process.
How does segmentation testing work when an organization has a local network for employees and all of the CDE is remotely hosted in AWS. The only connection to the CDE is via a secure VPN with two-factor auth.
I am assuming that the VPN connection only exists when someone is working in the AWS instance. In that case, you would document that fact in 11.3.4 that there is no constant connection.
Excellent article!
“The Council has advised that want they want is testing” – I believe that should be “what they want”.
Why did you write “…they want is testing from inside and outside the CDE…” when the DSS specifically says outside-to-in only? My understanding is that if it’s not part of the DSS then it’s just guidance and not mandatory.
This is one thing I find sad about the DSS, conditions and clarifications released only to QSAs and not to the entities being assessed. PCI-DSS has been around for well over a decade and one would have thought their transparency would be better by now.
Thanks for the proof reading.
The Information Supplement on Pen Testing is just guidance, but the ‘Guidance’ I quoted is from the DSS and it says inside and outside. The problem is that even outbound connections can be abused it’s just harder to compromise them.
I agree about the statements made to QSAs only either on calls or at the Community Meeting. There was a recent call from Service Providers and the Council did not let QSAs attend which since we assess Service Providers, one would think we should be included but were not allowed to attend.