PCI Network Segmentation & Active Directory

Posted on 2014-07-24
Last Modified: 2014-07-29
We have a requirement to be PCI Compliant. We have isolated our systems into new CDE VLAN's that are filtered through a firewall. The systems that we have moved into the new CDE VLAN are member servers in active directory. The purpose of segmenting these systems was to limit the scope of PCI compliance to only those systems in the CDE DMZ VLAN. My question is this, since these servers are Active Directory member servers, does the scope now include the Active Directory domain controllers that are in our normal server VLAN? What about the network that the Active Directory controllers reside in? Are those now also in scope? I seem to be getting mixed information about this and would appreciate any clarification or PCI documentation that addresses this specifically. Thanks in advance!
Question by:nsgguy245
  • 2

Expert Comment

ID: 40217442
The short answer is yes.

Safest approach is to have two separate AD forests isolated from each other.  You can still VLAN the forests apart.
LVL 38

Expert Comment

by:Rich Rumble
ID: 40217494
I'd say yes as well, to communicate to AD they have to be able to talk back and forth, and that's an exception in the firewall. However if you have mitigating controls, like denying ports 135-139/445/3389 to/from the DC, then you should be ok. Allowing ports 500 and 88 should be all you need for AD communications, and if no services are listening on those ports in the DMZ, you should be ok. You will have to ask your QSA, but we have that mitigating control for us. Same for DNS/Wins, you need to allow the host's inside the DMZ to ask the host's outside, but you can't allow the host's outside in.
We certainly would never stand up a whole new AD env when you have a few dozen hosts that can not only comply but probably benefit from stronger isolation.

Author Comment

ID: 40217736
Thanks for the feedback. Is there a particular place in the PCI Standard itself that further clarifies this? It seems a bit ambiguous. Also, just to clarify, the DC's themselves would be in-scope, but not other devices on the VLAN that they are in correct?
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 40218441
A vlan is a broadcast domain, and does very little in terms of security when it's just a vlan. You need documentation on controls, firewall rules, scan results from one side to the other. Being on the same vlan isn't good or bad, it says very little really, other than each host could potentially hear some of the other host's traffic (Wins broadcasts, arp broadcasts, dhcp broacasts...), but unless you have restrictive routing or firewalls for you various vlans, most can still talk between themselves when using direct protocols (non-broadcast traffic). So to say something is in or out of scope, rather to prove that, you need to prove that there are controls beyond and or including vlan segmentation. It's easy to prove to a QSA that this vlan can't talk to that vlan, scan from vlan-a to vlan-b and vice versa. If the routing or firewall rules are specific to IP's, or port's, then you need scan's proving those restrictions work, and are tested.
Vlan's aren't mentioned in the PCI 2.0 Standard at all :) Network segmentation is on page 10 of the PCI 2.0 Std, Appendix D as well, last page, page 75. The PII and CC data has to be segmented if you don't want all of your network to be in scope. If you place some hard restrictions on the PCI host's, it makes everything a lot smoother :) Make sure only certain host's or certain users can get in or out to the PCI hosts. If need be, use "jump-boxes" which are boxes designated in the network config or the hosts config to be allowed to administer or connect to the PCI hosts. Only these boxes can get into the DMZ, and of those jump boxes, only these 3-4 users are allowed to log into them. Things like that are good mitigating controls.
There is no right or wrong way to segment in the standard, and there shouldn't be, there are a lot of variables, so you have to prove segmentation and implement it how you see fit, and in a way that your QSA agrees is segmented.

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Smart phones, smart watches, Bluetooth-connected devices—the IoT is all around us. In this article, we take a look at the security implications of our highly connected world.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question