• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 639
  • Last Modified:

Is PCI DSS compliance applicable to site to site VPN

I'm looking for a PCI DSS compliance doc that specifies what are the scope & areas the compliance covers.

Is PCI DSS compliance applicable to site to site VPN?  If so, did it say it must use SHA2 & not SHA1 by a certain date?
If we can't get SHA2 working, is there a workaround?
0
sunhux
Asked:
sunhux
  • 2
  • 2
2 Solutions
 
btanExec ConsultantCommented:
The PCI DSS in using VPN will be applicable if there is card details traversing from site to site - you should review the scope of PCI on the existence of CD. VPN is just a mean to secure the channel CD is transacting through the source and destination. There is no specific to say SHA2 is a must but is recommended as SHA 2 is already advised as compared to SHA 1 which is susceptible to collision attacks - SHA 3 is already identified as well but most will still go for SHA 2 to increase security posture.

But you can consider the below sharing
Key Takeaways
•NIST deprecated SHA-1 during 2011-2013, because SHA-1 is susceptible to collision attacks.
•Google, Microsoft, and Mozilla no longer accept SHA-1 certificates as secure if they expire on or after January 1, 2017.
https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/

If SHA 2 is not possible due to business running (e.g. need to replace server or huge migration of system etc), mitigation measure will be based on your risk assessment - ask yourself (a) what is the impact if the integrity of the CD cannot be tampered - assuming SHA 1 is still available - and (b) what is the exposure for unauthorized tamper of the CD.If the risk level is high then you need to review the design to CD are of existence and bring it out of scope or less exposed to public access or segregate to specific authorized and watched over continuously for any anomalous activities by Ops tm.

Minimally it wil be a risk measured approach but you still need to have the remediation  put in long term plan. Best practices using the SANS Critical 20 controls can be some mitigation measure to reduce the exposure.
0
 
sunhuxAuthor Commented:
Thanks very much.

If our site to site vpn currently uses self-signed certs (not a cert from a CA), does it hv any bearing on SHA1 being deprecated?  Or as long as we use an MS product (eg Outlook or IE) at both sites, we will be affected?  But the 2 sites' vpn are Checkpoint n Watchguard which dont deprecate SHA1?  Hope I am not saying no-sense

Secondly as site to site vpn is for encryption n protection against MITMA, does collision attacks weaken the encryption or the mitigation against MITMA?
0
 
sunhuxAuthor Commented:
Typo correction, should read:
 But the 2 sites' vpn endpoints  are created between Checkpoint n Watchguard ...
0
 
btanExec ConsultantCommented:
Sha1 is based on the hash algorithm supported and chosen in your cert generation. It has no bearing on whether it is self signed or CA that is of certain provider. Your CSR or generation of the cert need to already state those algorithm.. Check for their default crypto hash algorithm from the vendors.

If there is means to spoof a real cert with a fake cert that is fradulent, the client will trust the fraud server or Mitm server and transact as if it is the real server..so collasion attack does matter. Mitm is not about just hijacking session but as long as the real server identity can be spoofed, the transaction will be compromised.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now