Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Is PCI DSS compliance applicable to site to site VPN

Posted on 2016-07-26
4
Medium Priority
?
359 Views
Last Modified: 2016-08-01
I'm looking for a PCI DSS compliance doc that specifies what are the scope & areas the compliance covers.

Is PCI DSS compliance applicable to site to site VPN?  If so, did it say it must use SHA2 & not SHA1 by a certain date?
If we can't get SHA2 working, is there a workaround?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41730725
The PCI DSS in using VPN will be applicable if there is card details traversing from site to site - you should review the scope of PCI on the existence of CD. VPN is just a mean to secure the channel CD is transacting through the source and destination. There is no specific to say SHA2 is a must but is recommended as SHA 2 is already advised as compared to SHA 1 which is susceptible to collision attacks - SHA 3 is already identified as well but most will still go for SHA 2 to increase security posture.

But you can consider the below sharing
Key Takeaways
•NIST deprecated SHA-1 during 2011-2013, because SHA-1 is susceptible to collision attacks.
•Google, Microsoft, and Mozilla no longer accept SHA-1 certificates as secure if they expire on or after January 1, 2017.
https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/

If SHA 2 is not possible due to business running (e.g. need to replace server or huge migration of system etc), mitigation measure will be based on your risk assessment - ask yourself (a) what is the impact if the integrity of the CD cannot be tampered - assuming SHA 1 is still available - and (b) what is the exposure for unauthorized tamper of the CD.If the risk level is high then you need to review the design to CD are of existence and bring it out of scope or less exposed to public access or segregate to specific authorized and watched over continuously for any anomalous activities by Ops tm.

Minimally it wil be a risk measured approach but you still need to have the remediation  put in long term plan. Best practices using the SANS Critical 20 controls can be some mitigation measure to reduce the exposure.
0
 

Author Comment

by:sunhux
ID: 41730989
Thanks very much.

If our site to site vpn currently uses self-signed certs (not a cert from a CA), does it hv any bearing on SHA1 being deprecated?  Or as long as we use an MS product (eg Outlook or IE) at both sites, we will be affected?  But the 2 sites' vpn are Checkpoint n Watchguard which dont deprecate SHA1?  Hope I am not saying no-sense

Secondly as site to site vpn is for encryption n protection against MITMA, does collision attacks weaken the encryption or the mitigation against MITMA?
0
 

Author Comment

by:sunhux
ID: 41730991
Typo correction, should read:
 But the 2 sites' vpn endpoints  are created between Checkpoint n Watchguard ...
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 41730995
Sha1 is based on the hash algorithm supported and chosen in your cert generation. It has no bearing on whether it is self signed or CA that is of certain provider. Your CSR or generation of the cert need to already state those algorithm.. Check for their default crypto hash algorithm from the vendors.

If there is means to spoof a real cert with a fake cert that is fradulent, the client will trust the fraud server or Mitm server and transact as if it is the real server..so collasion attack does matter. Mitm is not about just hijacking session but as long as the real server identity can be spoofed, the transaction will be compromised.
0

Featured Post

Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question