Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


PCI Network Segmentation & Active Directory

Posted on 2014-07-24
Medium Priority
Last Modified: 2014-07-29
We have a requirement to be PCI Compliant. We have isolated our systems into new CDE VLAN's that are filtered through a firewall. The systems that we have moved into the new CDE VLAN are member servers in active directory. The purpose of segmenting these systems was to limit the scope of PCI compliance to only those systems in the CDE DMZ VLAN. My question is this, since these servers are Active Directory member servers, does the scope now include the Active Directory domain controllers that are in our normal server VLAN? What about the network that the Active Directory controllers reside in? Are those now also in scope? I seem to be getting mixed information about this and would appreciate any clarification or PCI documentation that addresses this specifically. Thanks in advance!
Question by:nsgguy245
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Expert Comment

ID: 40217442
The short answer is yes.

Safest approach is to have two separate AD forests isolated from each other.  You can still VLAN the forests apart.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40217494
I'd say yes as well, to communicate to AD they have to be able to talk back and forth, and that's an exception in the firewall. However if you have mitigating controls, like denying ports 135-139/445/3389 to/from the DC, then you should be ok. Allowing ports 500 and 88 should be all you need for AD communications, and if no services are listening on those ports in the DMZ, you should be ok. You will have to ask your QSA, but we have that mitigating control for us. Same for DNS/Wins, you need to allow the host's inside the DMZ to ask the host's outside, but you can't allow the host's outside in.
We certainly would never stand up a whole new AD env when you have a few dozen hosts that can not only comply but probably benefit from stronger isolation.

Author Comment

ID: 40217736
Thanks for the feedback. Is there a particular place in the PCI Standard itself that further clarifies this? It seems a bit ambiguous. Also, just to clarify, the DC's themselves would be in-scope, but not other devices on the VLAN that they are in correct?
LVL 38

Accepted Solution

Rich Rumble earned 1500 total points
ID: 40218441
A vlan is a broadcast domain, and does very little in terms of security when it's just a vlan. You need documentation on controls, firewall rules, scan results from one side to the other. Being on the same vlan isn't good or bad, it says very little really, other than each host could potentially hear some of the other host's traffic (Wins broadcasts, arp broadcasts, dhcp broacasts...), but unless you have restrictive routing or firewalls for you various vlans, most can still talk between themselves when using direct protocols (non-broadcast traffic). So to say something is in or out of scope, rather to prove that, you need to prove that there are controls beyond and or including vlan segmentation. It's easy to prove to a QSA that this vlan can't talk to that vlan, scan from vlan-a to vlan-b and vice versa. If the routing or firewall rules are specific to IP's, or port's, then you need scan's proving those restrictions work, and are tested.
Vlan's aren't mentioned in the PCI 2.0 Standard at all :) Network segmentation is on page 10 of the PCI 2.0 Std, Appendix D as well, last page, page 75. The PII and CC data has to be segmented if you don't want all of your network to be in scope. If you place some hard restrictions on the PCI host's, it makes everything a lot smoother :) Make sure only certain host's or certain users can get in or out to the PCI hosts. If need be, use "jump-boxes" which are boxes designated in the network config or the hosts config to be allowed to administer or connect to the PCI hosts. Only these boxes can get into the DMZ, and of those jump boxes, only these 3-4 users are allowed to log into them. Things like that are good mitigating controls.
There is no right or wrong way to segment in the standard, and there shouldn't be, there are a lot of variables, so you have to prove segmentation and implement it how you see fit, and in a way that your QSA agrees is segmented.

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
If you're a modern-day technology professional, you may be wondering if certifications are really necessary. They are. Here's why.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question