Solved

PCI Network Segmentation & Active Directory

Posted on 2014-07-24
4
1,233 Views
Last Modified: 2014-07-29
We have a requirement to be PCI Compliant. We have isolated our systems into new CDE VLAN's that are filtered through a firewall. The systems that we have moved into the new CDE VLAN are member servers in active directory. The purpose of segmenting these systems was to limit the scope of PCI compliance to only those systems in the CDE DMZ VLAN. My question is this, since these servers are Active Directory member servers, does the scope now include the Active Directory domain controllers that are in our normal server VLAN? What about the network that the Active Directory controllers reside in? Are those now also in scope? I seem to be getting mixed information about this and would appreciate any clarification or PCI documentation that addresses this specifically. Thanks in advance!
0
Comment
Question by:nsgguy245
  • 2
4 Comments
 
LVL 5

Expert Comment

by:amac81
ID: 40217442
The short answer is yes.

Safest approach is to have two separate AD forests isolated from each other.  You can still VLAN the forests apart.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40217494
I'd say yes as well, to communicate to AD they have to be able to talk back and forth, and that's an exception in the firewall. However if you have mitigating controls, like denying ports 135-139/445/3389 to/from the DC, then you should be ok. Allowing ports 500 and 88 should be all you need for AD communications, and if no services are listening on those ports in the DMZ, you should be ok. You will have to ask your QSA, but we have that mitigating control for us. Same for DNS/Wins, you need to allow the host's inside the DMZ to ask the host's outside, but you can't allow the host's outside in.
We certainly would never stand up a whole new AD env when you have a few dozen hosts that can not only comply but probably benefit from stronger isolation.
-rich
0
 

Author Comment

by:nsgguy245
ID: 40217736
Thanks for the feedback. Is there a particular place in the PCI Standard itself that further clarifies this? It seems a bit ambiguous. Also, just to clarify, the DC's themselves would be in-scope, but not other devices on the VLAN that they are in correct?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40218441
A vlan is a broadcast domain, and does very little in terms of security when it's just a vlan. You need documentation on controls, firewall rules, scan results from one side to the other. Being on the same vlan isn't good or bad, it says very little really, other than each host could potentially hear some of the other host's traffic (Wins broadcasts, arp broadcasts, dhcp broacasts...), but unless you have restrictive routing or firewalls for you various vlans, most can still talk between themselves when using direct protocols (non-broadcast traffic). So to say something is in or out of scope, rather to prove that, you need to prove that there are controls beyond and or including vlan segmentation. It's easy to prove to a QSA that this vlan can't talk to that vlan, scan from vlan-a to vlan-b and vice versa. If the routing or firewall rules are specific to IP's, or port's, then you need scan's proving those restrictions work, and are tested.
Vlan's aren't mentioned in the PCI 2.0 Standard at all :) Network segmentation is on page 10 of the PCI 2.0 Std, Appendix D as well, last page, page 75. The PII and CC data has to be segmented if you don't want all of your network to be in scope. If you place some hard restrictions on the PCI host's, it makes everything a lot smoother :) Make sure only certain host's or certain users can get in or out to the PCI hosts. If need be, use "jump-boxes" which are boxes designated in the network config or the hosts config to be allowed to administer or connect to the PCI hosts. Only these boxes can get into the DMZ, and of those jump boxes, only these 3-4 users are allowed to log into them. Things like that are good mitigating controls.
There is no right or wrong way to segment in the standard, and there shouldn't be, there are a lot of variables, so you have to prove segmentation and implement it how you see fit, and in a way that your QSA agrees is segmented.
-rich
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Cisco ACS mixed versions 8 53
one-way data "masking" MD5 sql 26 99
Script for Password Expire Notifications 7 65
Ipad question 2 42
Password hashing is better than message digests or encryption, and you should be using it instead of message digests or encryption.  Find out why and how in this article, which supplements the original article on PHP Client Registration, Login, Logo…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now