Educause Security Discussion mailing list archives
Re: PCI and common access computers
From: "Flynn, Gary" <flynngn () JMU EDU>
Date: Thu, 25 Mar 2010 16:09:10 -0400
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of John Ladwig Sent: Thursday, March 25, 2010 2:48 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers I observe that "good vlans" are not a scope-delineating control under PCI. You need stateful packet inspection with bidirectional default- deny between systems handling cardholder data and any system reachable from the Internet. If you have a tight inbound traffic policy from both Internet and DMZ, you can get away with stateless router ACLs.
OTOH, we were told that vlan ACLs, even those using the 'established' keyword were insufficient. That a standalone, hardware firewall was required.
Some of Cisco's IOS has "reflexive ACL" processing, and that supposedly counts for scope delineation.
I hadn't thought about that and they weren't mentioned to us as a possibility. We use those at our Internet border. NAT would have to be implemented too.
VLANs alone aren't enough. However, all QSA opinions I've seen are that a CHD VLAN may coexist on he same Layer-2 devices as a non-CHD VLAN, so long as there is Layer-3 policy enforcement between the VLANs. I haven't pushed hard on the question of whether a host-based Layer-3 firewall would suffice as a scope-delimiting control, not because I think the QSA would fail it, but because *I* probably wouldn't trust it not to be disabled by the next piece of malware to cross the machine. jmlBlake Penn <BPenn () TRUSTWAVE COM> 2010-03-25 11:51 >>>That's a good strategy for segmentation. Also, I've seen restrictive host-based firewalling and similar approaches used to create "islands" of in-scope systems while maintaining a greater out-of-scope network. Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Senior Security Consultant Trustwave bpenn () trustwave com 678-777-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect the opinions of the author alone and do not neccessarily reflect the opinions of Trustwave. -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Eric C. Lukens Sent: Thursday, March 25, 2010 11:38 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 If they're on the same subnet/segment, then they're also in scope. You're best bet is probably to invest in some good vlans or separate network hardware to segment the cardholder machines from everything else. That's what we're doing here. If you're interested in hearing more about it, just let me know. - -Eric - -------- Original Message -------- Subject: Re: [SECURITY] PCI and common access computers From: Mayne, Jim <j.mayne () TCU EDU> To: SECURITY () LISTSERV EDUCAUSE EDU Date: 3/25/10 10:30 AMBlake, That makes sense but now what about other workstations that are notused for processing credit card information but are on the same network subnet or segment. Are they in scope as well?Thanks, Jim -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Blake PennSent: Thursday, March 25, 2010 9:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers That sounds spot on. The key question is whether the system is beingused as part of a university business process in either a merchant or service provider context. If the answer is yes, then it is likely in scope, if no, then likely not.Blake Penn CISSP, MCSE, MCSD, MCDBA, QSA Senior Security Consultant Trustwave bpenn () trustwave com 678-777-1277 http://www.trustwave.com DISCLAIMER: The views represented in this message reflect theopinions of the author alone and do not neccessarily reflect the opinions of Trustwave.-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ewing, AshleySent: Thursday, March 25, 2010 10:07 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI and common access computers I have been told by our QSA, Trustwave and auditors at PwC that theyare in scope. An employee entering a credit card on a university owned machine going through a university network to the payment process on site or off site is in scope along with the path as part of a university payment process. Not an individual making a personal purchase, but the ticketing office, advancement/alumni, continuing studies programs, etc., taking customer credit cards via phone, fax or paper.We are testing the use of a small PCs that shares the keyboard, mouseand monitor with the primary desktop, and runs software that will lockdown the device to the payment processes only on an isolated network segment (completely separate from any wireless network access). This reduces the risk associated with email, web surfing and network sniffing.Feel free to contact me offline if you have any questions. J. Ashley Ewing, CISSP, CISA Information Security Officer Office of Information Technology (OIT) The University of Alabama A314 Gordon Palmer Hall (Box 870346) Tuscaloosa, AL 35487-0346 Office: 205-348-6524 Cell: 205-535-0335 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Flynn, GarySent: Thursday, March 25, 2010 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] PCI and common access computers It has been suggested that these types of computers that people coulduseto perform credit card transactions may be in-scope for PCIcompliancerequirements. Anyone heard anything like that? I don't see how itcouldever work as you couldn't restrict the access to the credit cardrequestingsites because they could be anywhere. And you really couldn'treliablyprevent people from typing them either.- -- Eric C. Lukens IT Security Policy and Risk Assessment Analyst ITS-Network Services Curris Business Building 15 University of Northern Iowa Cedar Falls, IA 50614-0121 319-273-7434 http://www.uni.edu/elukens/ http://weblogs.uni.edu/elukens/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.10 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkurg0MACgkQN+w4PqsMNp25vwCfTvR0vbb19PVxi3tiTmungRP3 EO8An31lWtEmAUWBjZtMFJVAn7ihch1I =otO9 -----END PGP SIGNATURE-----
Current thread:
- Re: PCI and common access computers, (continued)
- Re: PCI and common access computers Basgen, Brian (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Mayne, Jim (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Blake Penn (Mar 25)
- Re: PCI and common access computers John Ladwig (Mar 25)
- Re: PCI and common access computers Eric C. Lukens (Mar 25)
- Re: PCI and common access computers Ewing, Ashley (Mar 25)
- Re: PCI and common access computers Patrick Ouellette (Mar 25)
- Re: PCI and common access computers Flynn, Gary (Mar 25)