Solved

PCI Network Segmentation & Active Directory

Posted on 2014-07-24
4
1,444 Views
Last Modified: 2014-07-29
We have a requirement to be PCI Compliant. We have isolated our systems into new CDE VLAN's that are filtered through a firewall. The systems that we have moved into the new CDE VLAN are member servers in active directory. The purpose of segmenting these systems was to limit the scope of PCI compliance to only those systems in the CDE DMZ VLAN. My question is this, since these servers are Active Directory member servers, does the scope now include the Active Directory domain controllers that are in our normal server VLAN? What about the network that the Active Directory controllers reside in? Are those now also in scope? I seem to be getting mixed information about this and would appreciate any clarification or PCI documentation that addresses this specifically. Thanks in advance!
0
Comment
Question by:nsgguy245
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 5

Expert Comment

by:amac81
ID: 40217442
The short answer is yes.

Safest approach is to have two separate AD forests isolated from each other.  You can still VLAN the forests apart.
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 40217494
I'd say yes as well, to communicate to AD they have to be able to talk back and forth, and that's an exception in the firewall. However if you have mitigating controls, like denying ports 135-139/445/3389 to/from the DC, then you should be ok. Allowing ports 500 and 88 should be all you need for AD communications, and if no services are listening on those ports in the DMZ, you should be ok. You will have to ask your QSA, but we have that mitigating control for us. Same for DNS/Wins, you need to allow the host's inside the DMZ to ask the host's outside, but you can't allow the host's outside in.
We certainly would never stand up a whole new AD env when you have a few dozen hosts that can not only comply but probably benefit from stronger isolation.
-rich
0
 

Author Comment

by:nsgguy245
ID: 40217736
Thanks for the feedback. Is there a particular place in the PCI Standard itself that further clarifies this? It seems a bit ambiguous. Also, just to clarify, the DC's themselves would be in-scope, but not other devices on the VLAN that they are in correct?
0
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 40218441
A vlan is a broadcast domain, and does very little in terms of security when it's just a vlan. You need documentation on controls, firewall rules, scan results from one side to the other. Being on the same vlan isn't good or bad, it says very little really, other than each host could potentially hear some of the other host's traffic (Wins broadcasts, arp broadcasts, dhcp broacasts...), but unless you have restrictive routing or firewalls for you various vlans, most can still talk between themselves when using direct protocols (non-broadcast traffic). So to say something is in or out of scope, rather to prove that, you need to prove that there are controls beyond and or including vlan segmentation. It's easy to prove to a QSA that this vlan can't talk to that vlan, scan from vlan-a to vlan-b and vice versa. If the routing or firewall rules are specific to IP's, or port's, then you need scan's proving those restrictions work, and are tested.
Vlan's aren't mentioned in the PCI 2.0 Standard at all :) Network segmentation is on page 10 of the PCI 2.0 Std, Appendix D as well, last page, page 75. The PII and CC data has to be segmented if you don't want all of your network to be in scope. If you place some hard restrictions on the PCI host's, it makes everything a lot smoother :) Make sure only certain host's or certain users can get in or out to the PCI hosts. If need be, use "jump-boxes" which are boxes designated in the network config or the hosts config to be allowed to administer or connect to the PCI hosts. Only these boxes can get into the DMZ, and of those jump boxes, only these 3-4 users are allowed to log into them. Things like that are good mitigating controls.
There is no right or wrong way to segment in the standard, and there shouldn't be, there are a lot of variables, so you have to prove segmentation and implement it how you see fit, and in a way that your QSA agrees is segmented.
-rich
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question