PCI Network Segmentation & Active Directory

Posted on 2014-07-24
Medium Priority
Last Modified: 2014-07-29
We have a requirement to be PCI Compliant. We have isolated our systems into new CDE VLAN's that are filtered through a firewall. The systems that we have moved into the new CDE VLAN are member servers in active directory. The purpose of segmenting these systems was to limit the scope of PCI compliance to only those systems in the CDE DMZ VLAN. My question is this, since these servers are Active Directory member servers, does the scope now include the Active Directory domain controllers that are in our normal server VLAN? What about the network that the Active Directory controllers reside in? Are those now also in scope? I seem to be getting mixed information about this and would appreciate any clarification or PCI documentation that addresses this specifically. Thanks in advance!
Question by:nsgguy245
  • 2

Expert Comment

ID: 40217442
The short answer is yes.

Safest approach is to have two separate AD forests isolated from each other.  You can still VLAN the forests apart.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40217494
I'd say yes as well, to communicate to AD they have to be able to talk back and forth, and that's an exception in the firewall. However if you have mitigating controls, like denying ports 135-139/445/3389 to/from the DC, then you should be ok. Allowing ports 500 and 88 should be all you need for AD communications, and if no services are listening on those ports in the DMZ, you should be ok. You will have to ask your QSA, but we have that mitigating control for us. Same for DNS/Wins, you need to allow the host's inside the DMZ to ask the host's outside, but you can't allow the host's outside in.
We certainly would never stand up a whole new AD env when you have a few dozen hosts that can not only comply but probably benefit from stronger isolation.

Author Comment

ID: 40217736
Thanks for the feedback. Is there a particular place in the PCI Standard itself that further clarifies this? It seems a bit ambiguous. Also, just to clarify, the DC's themselves would be in-scope, but not other devices on the VLAN that they are in correct?
LVL 38

Accepted Solution

Rich Rumble earned 1500 total points
ID: 40218441
A vlan is a broadcast domain, and does very little in terms of security when it's just a vlan. You need documentation on controls, firewall rules, scan results from one side to the other. Being on the same vlan isn't good or bad, it says very little really, other than each host could potentially hear some of the other host's traffic (Wins broadcasts, arp broadcasts, dhcp broacasts...), but unless you have restrictive routing or firewalls for you various vlans, most can still talk between themselves when using direct protocols (non-broadcast traffic). So to say something is in or out of scope, rather to prove that, you need to prove that there are controls beyond and or including vlan segmentation. It's easy to prove to a QSA that this vlan can't talk to that vlan, scan from vlan-a to vlan-b and vice versa. If the routing or firewall rules are specific to IP's, or port's, then you need scan's proving those restrictions work, and are tested.
Vlan's aren't mentioned in the PCI 2.0 Standard at all :) Network segmentation is on page 10 of the PCI 2.0 Std, Appendix D as well, last page, page 75. The PII and CC data has to be segmented if you don't want all of your network to be in scope. If you place some hard restrictions on the PCI host's, it makes everything a lot smoother :) Make sure only certain host's or certain users can get in or out to the PCI hosts. If need be, use "jump-boxes" which are boxes designated in the network config or the hosts config to be allowed to administer or connect to the PCI hosts. Only these boxes can get into the DMZ, and of those jump boxes, only these 3-4 users are allowed to log into them. Things like that are good mitigating controls.
There is no right or wrong way to segment in the standard, and there shouldn't be, there are a lot of variables, so you have to prove segmentation and implement it how you see fit, and in a way that your QSA agrees is segmented.

Featured Post

Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

The Windows Firewall provides an important layer of protection and a rich interface to configure it. Unfortunately, it lacks item level filtering. This article details my process of implementing firewall-as-code to reduce GPO bloat.
You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question