Educause Security Discussion mailing list archives
Re: PCI
From: Paul Kendall <PKendall () ACCUDATASYSTEMS COM>
Date: Mon, 27 Jun 2011 13:22:59 -0500
That's correct. Yes, the 'letter of the law' within PCI does conflict with IPv6. HOWEVER, there are numerous ways around it. Compensating controls are the first and foremost that come to mind, and it does not necessarily require a huge effort or workaround. Once again, proper segmentation of the network to isolate the CDE will bring the most beneficial results here, and minimize the effort required for PCI compliance.. Paul L. Kendall =================================== Paul L. Kendall, CGEIT, CISM, CISSP, CSSLP Certified HIPAA Professional Certified HIPAA Security Specialist PCI Qualified Security Assessor Senior Consultant - Assessments & Compliance Main 281.897.5000 | Direct 817.496.6450 | Cell 713.446.5259 | http://www.accudatasystems.com Tower Three Galleria | 13155 Noel Road, Suite 920 | Dallas, TX 75240 -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Sam Hooker Sent: Monday, June 27, 2011 11:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] PCI Unless I've missed something, the DSS (2.0) itself doesn't precisely define the "network vulnerability scans" referred to under requiremet 11, at least not with respect to host discovery. On page 13 of the PCI "Approved Scanning Vendors Program Guide"[1] (v1.0, dated March of 2010) though, I find the following, under "ASV Scan Solution - Required Components": 'Perform host discovery The ASV scan solution must make a reasonable attempt to identify live systems, including live systems that do not respond to ICMP echo ("ping") requests.' Presuming the same standard applies to your internal scans, the question then becomes: What constitutes "reasonable"? Cheers, -sth [1]https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.pdf -- Sam Hooker | samuel.hooker () uvm edu Systems Architecture and Administration Enterprise Technology Services The University of Vermont On 20110627 11:44 , John Ladwig wrote:
DSS 2.0 clarifies that RFC1918 may be used in the CDE, *or* you may use global addresses, but then MUST NOT advertise those networks to the global Internet. That latter is certainly doable for v6 networks, such as they exist. There's still the nagging issue of almost no commercial gear implementing NAT66, which would also impact the ability to use Unique-local addressing for the CDE hosts. Fortunately, my world seems to have no particular interest in moving to v6 in general, much less in our in-scope environments. -jml"Curtis, Bruce" <Bruce.Curtis () NDSU EDU> 2011-06-27 10:01 >>>On Jun 27, 2011, at 9:41 AM, Jacobson, Dick wrote:I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me until after the seminar and since the seminar I have been looking for an email address for Johannes Ullirich (the instructor), but have not found one, and asked a few people around here about this. I have not been able to get a half-way-confident answer so I am bringing the question here. I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address space makes it impossible to scan in a timely manner, as required. Does this question make sense ? Any comments/thoughts for me ?There are several things about PCI that do not make any sense. For example PCI requires that a network implement NAT. Since there is no NAT in IPv6 PCI appears to have it's head in the sand about the future of the Internet. PCI does have some provisions for compensating methods so perhaps there is a way around the NAT requirements but it just seems silly that PCI has not considered the implications of IPv6. I'm less familiar with the PCI requirements on scanning but I have heard that there were issues with NIST or other government agency requirements and scanning but they may have made progress on those issues by now. Essentially it is impossible to scan all of the IPv6 addresses in a subnet from a remote host that is not on that subnet. If the scan of an IPv6 subnet is performed from that subnet then there may be ways of scanning all active IPv6 hosts on that subnet. http://www.ietf.org/rfc/rfc5157.txt --- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University