?
Solved

Is PCI DSS compliance applicable to site to site VPN

Posted on 2016-07-26
4
Medium Priority
?
281 Views
Last Modified: 2016-08-01
I'm looking for a PCI DSS compliance doc that specifies what are the scope & areas the compliance covers.

Is PCI DSS compliance applicable to site to site VPN?  If so, did it say it must use SHA2 & not SHA1 by a certain date?
If we can't get SHA2 working, is there a workaround?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 64

Accepted Solution

by:
btan earned 2000 total points
ID: 41730725
The PCI DSS in using VPN will be applicable if there is card details traversing from site to site - you should review the scope of PCI on the existence of CD. VPN is just a mean to secure the channel CD is transacting through the source and destination. There is no specific to say SHA2 is a must but is recommended as SHA 2 is already advised as compared to SHA 1 which is susceptible to collision attacks - SHA 3 is already identified as well but most will still go for SHA 2 to increase security posture.

But you can consider the below sharing
Key Takeaways
•NIST deprecated SHA-1 during 2011-2013, because SHA-1 is susceptible to collision attacks.
•Google, Microsoft, and Mozilla no longer accept SHA-1 certificates as secure if they expire on or after January 1, 2017.
https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/

If SHA 2 is not possible due to business running (e.g. need to replace server or huge migration of system etc), mitigation measure will be based on your risk assessment - ask yourself (a) what is the impact if the integrity of the CD cannot be tampered - assuming SHA 1 is still available - and (b) what is the exposure for unauthorized tamper of the CD.If the risk level is high then you need to review the design to CD are of existence and bring it out of scope or less exposed to public access or segregate to specific authorized and watched over continuously for any anomalous activities by Ops tm.

Minimally it wil be a risk measured approach but you still need to have the remediation  put in long term plan. Best practices using the SANS Critical 20 controls can be some mitigation measure to reduce the exposure.
0
 

Author Comment

by:sunhux
ID: 41730989
Thanks very much.

If our site to site vpn currently uses self-signed certs (not a cert from a CA), does it hv any bearing on SHA1 being deprecated?  Or as long as we use an MS product (eg Outlook or IE) at both sites, we will be affected?  But the 2 sites' vpn are Checkpoint n Watchguard which dont deprecate SHA1?  Hope I am not saying no-sense

Secondly as site to site vpn is for encryption n protection against MITMA, does collision attacks weaken the encryption or the mitigation against MITMA?
0
 

Author Comment

by:sunhux
ID: 41730991
Typo correction, should read:
 But the 2 sites' vpn endpoints  are created between Checkpoint n Watchguard ...
0
 
LVL 64

Assisted Solution

by:btan
btan earned 2000 total points
ID: 41730995
Sha1 is based on the hash algorithm supported and chosen in your cert generation. It has no bearing on whether it is self signed or CA that is of certain provider. Your CSR or generation of the cert need to already state those algorithm.. Check for their default crypto hash algorithm from the vendors.

If there is means to spoof a real cert with a fake cert that is fradulent, the client will trust the fraud server or Mitm server and transact as if it is the real server..so collasion attack does matter. Mitm is not about just hijacking session but as long as the real server identity can be spoofed, the transaction will be compromised.
0

Featured Post

Manage your data center from practically anywhere

The KN8164V features HD resolution of 1920 x 1200, FIPS 140-2 with level 1 security standards and virtual media transmissions at twice the speed. Built for reliability, the KN series provides local console and remote over IP access, ensuring 24/7 availability to all servers.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
Make the most of your online learning experience.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question