Solved

Is PCI DSS compliance applicable to site to site VPN

Posted on 2016-07-26
4
219 Views
Last Modified: 2016-08-01
I'm looking for a PCI DSS compliance doc that specifies what are the scope & areas the compliance covers.

Is PCI DSS compliance applicable to site to site VPN?  If so, did it say it must use SHA2 & not SHA1 by a certain date?
If we can't get SHA2 working, is there a workaround?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 41730725
The PCI DSS in using VPN will be applicable if there is card details traversing from site to site - you should review the scope of PCI on the existence of CD. VPN is just a mean to secure the channel CD is transacting through the source and destination. There is no specific to say SHA2 is a must but is recommended as SHA 2 is already advised as compared to SHA 1 which is susceptible to collision attacks - SHA 3 is already identified as well but most will still go for SHA 2 to increase security posture.

But you can consider the below sharing
Key Takeaways
•NIST deprecated SHA-1 during 2011-2013, because SHA-1 is susceptible to collision attacks.
•Google, Microsoft, and Mozilla no longer accept SHA-1 certificates as secure if they expire on or after January 1, 2017.
https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/

If SHA 2 is not possible due to business running (e.g. need to replace server or huge migration of system etc), mitigation measure will be based on your risk assessment - ask yourself (a) what is the impact if the integrity of the CD cannot be tampered - assuming SHA 1 is still available - and (b) what is the exposure for unauthorized tamper of the CD.If the risk level is high then you need to review the design to CD are of existence and bring it out of scope or less exposed to public access or segregate to specific authorized and watched over continuously for any anomalous activities by Ops tm.

Minimally it wil be a risk measured approach but you still need to have the remediation  put in long term plan. Best practices using the SANS Critical 20 controls can be some mitigation measure to reduce the exposure.
0
 

Author Comment

by:sunhux
ID: 41730989
Thanks very much.

If our site to site vpn currently uses self-signed certs (not a cert from a CA), does it hv any bearing on SHA1 being deprecated?  Or as long as we use an MS product (eg Outlook or IE) at both sites, we will be affected?  But the 2 sites' vpn are Checkpoint n Watchguard which dont deprecate SHA1?  Hope I am not saying no-sense

Secondly as site to site vpn is for encryption n protection against MITMA, does collision attacks weaken the encryption or the mitigation against MITMA?
0
 

Author Comment

by:sunhux
ID: 41730991
Typo correction, should read:
 But the 2 sites' vpn endpoints  are created between Checkpoint n Watchguard ...
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 41730995
Sha1 is based on the hash algorithm supported and chosen in your cert generation. It has no bearing on whether it is self signed or CA that is of certain provider. Your CSR or generation of the cert need to already state those algorithm.. Check for their default crypto hash algorithm from the vendors.

If there is means to spoof a real cert with a fake cert that is fradulent, the client will trust the fraud server or Mitm server and transact as if it is the real server..so collasion attack does matter. Mitm is not about just hijacking session but as long as the real server identity can be spoofed, the transaction will be compromised.
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
There is a lot to be said for protecting yourself and your accounts with 2 factor authentication.  I found to my own chagrin, that there is a big downside as well.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question