Friday, November 17, 2006

Level 2, Level 3, and Level 4 PCI Solutions

I thought I would start another blog for pcistuff to keep it separate and distinct from my Identitystuff blog where I discuss Identity Management issues.

This initial entry is designed to lay out what specific parts of the PCI Specification I can satisfy in less than a week. At the highest level, I can't help with encryption or documentation, but anything to do with limiting access and auditability I will absolutely help with. The stuff in Red is where I will help. I also did all of the hard work for you if you are evaluating solutions.

PCI Requirements:

•Build and Maintain a Secure Network
–Requirement 1: Install and maintain a firewall configuration to protect cardholder data
–Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
•Protect Cardholder Data
–Requirement 3: Protect stored cardholder data
–Requirement 4: Encrypt transmission of cardholder data across open, public networks

•Maintain a Vulnerability Management Program
–Requirement 5: Use and regularly update anti-virus software
–Requirement 6: Develop and maintain secure systems and applications

•Implement Strong Access Control Measures
-Requirement 7: Restrict access to cardholder data by business need-to-know
-Requirement 8: Assign a unique ID to each person with computer access

-Requirement 9: Restrict physical access to cardholder data

•Regularly Monitor and Test Networks
-Requirement 10: Track and monitor all access to network resources and cardholder data
-Requirement 11: Regularly test security systems and processes

•Maintain an Information Security Policy
-Requirement 12: Maintain a policy that addresses information security


PCI Requirement 1

•1.1 Establish firewall configuration standards that include the following:
•1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration TNT Does this in real time
•1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks TNT Auto discovers users, machines, networks, servers, applications (port)
•1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone TNT will segment and enforce your policies by user, device, group, application, server, health posture or network
•1.1.4 Description of groups, roles, and responsibilities for logical management of network components TNT proactively manages this in real time
•1.1.5 Documented list of services and ports necessary for business TNT will auto discover ALL ports (even rogue) and allow you to report them in real time
•1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) TNT logs all connection data between users, machines, and ports
•1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented
•1.1.8 Quarterly review of firewall and router rule sets TNT will enable you to establish and audit policy in real time, before enforcement is enabled
•1.1.9 Configuration standards for routers.

1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. This is what TNT’s solution does
1.3Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:

•1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) TNT denies ALL connections that are not from a specific user, machine, IP address, etc. providing unparalleled control
•1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ TNT will control access from and access to specific networks, machines, and resources in real time allowing specific segmentation policies to be set and proactively enforced.
•1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network) This is TNT’s core functionality – TNT controls access to resources and networks based on what identity attributes are in the SYN header of every TCP/IP packet on the network
•1.3.4 Placing the database in an internal network zone, segregated from the DMZ TNT establishes a virtual physical zone so that only one user from one machine has access to a single application, even if there are other applications on the same server
•1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment TNT’s solution restricts by user, machine, subnet and health level
•1.3.6 Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration TNT eliminates the need for this
•1.3.7 Denying all other inbound and outbound traffic not specifically allowed TNT does this in real time with unparalleled granularity
•1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Installing TNT’s solution behind an AP, allows you to track and control EVERY connection through it
•1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. TNT’s solution builds a unique and unalterable identity of each machine in the environment and combines this with authenticated user information to create pervasive identity against which access controls are applied

•1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). TNT would accomplish this by keeping all non identified/known users from any and all networks, infrastructure, applications and data in an enforced policy
•1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic TNT will allow an organization to deny all signalling within and between networks in seconds
•1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ. TNT will lock down specific resources by users, machines, and networks to each other
•1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT).
TNT stops all masquerading of identity because we have a known users FQDN & unique machine ID hashed and encrypted and embedded in every packet. You cannot be anyone else from any other machine. TNT's solution is transparent to NAT. We always know it's you and what machine you're using.

Stay Tuned for PCI Requirement 2!!


Post a Comment

<< Home