Solved

Is PCI DSS compliance applicable to site to site VPN

Posted on 2016-07-26
4
79 Views
Last Modified: 2016-08-01
I'm looking for a PCI DSS compliance doc that specifies what are the scope & areas the compliance covers.

Is PCI DSS compliance applicable to site to site VPN?  If so, did it say it must use SHA2 & not SHA1 by a certain date?
If we can't get SHA2 working, is there a workaround?
0
Comment
Question by:sunhux
  • 2
  • 2
4 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
Comment Utility
The PCI DSS in using VPN will be applicable if there is card details traversing from site to site - you should review the scope of PCI on the existence of CD. VPN is just a mean to secure the channel CD is transacting through the source and destination. There is no specific to say SHA2 is a must but is recommended as SHA 2 is already advised as compared to SHA 1 which is susceptible to collision attacks - SHA 3 is already identified as well but most will still go for SHA 2 to increase security posture.

But you can consider the below sharing
Key Takeaways
•NIST deprecated SHA-1 during 2011-2013, because SHA-1 is susceptible to collision attacks.
•Google, Microsoft, and Mozilla no longer accept SHA-1 certificates as secure if they expire on or after January 1, 2017.
https://www.venafi.com/blog/post/still-using-sha-1-its-time-to-switch/

If SHA 2 is not possible due to business running (e.g. need to replace server or huge migration of system etc), mitigation measure will be based on your risk assessment - ask yourself (a) what is the impact if the integrity of the CD cannot be tampered - assuming SHA 1 is still available - and (b) what is the exposure for unauthorized tamper of the CD.If the risk level is high then you need to review the design to CD are of existence and bring it out of scope or less exposed to public access or segregate to specific authorized and watched over continuously for any anomalous activities by Ops tm.

Minimally it wil be a risk measured approach but you still need to have the remediation  put in long term plan. Best practices using the SANS Critical 20 controls can be some mitigation measure to reduce the exposure.
0
 

Author Comment

by:sunhux
Comment Utility
Thanks very much.

If our site to site vpn currently uses self-signed certs (not a cert from a CA), does it hv any bearing on SHA1 being deprecated?  Or as long as we use an MS product (eg Outlook or IE) at both sites, we will be affected?  But the 2 sites' vpn are Checkpoint n Watchguard which dont deprecate SHA1?  Hope I am not saying no-sense

Secondly as site to site vpn is for encryption n protection against MITMA, does collision attacks weaken the encryption or the mitigation against MITMA?
0
 

Author Comment

by:sunhux
Comment Utility
Typo correction, should read:
 But the 2 sites' vpn endpoints  are created between Checkpoint n Watchguard ...
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
Comment Utility
Sha1 is based on the hash algorithm supported and chosen in your cert generation. It has no bearing on whether it is self signed or CA that is of certain provider. Your CSR or generation of the cert need to already state those algorithm.. Check for their default crypto hash algorithm from the vendors.

If there is means to spoof a real cert with a fake cert that is fradulent, the client will trust the fraud server or Mitm server and transact as if it is the real server..so collasion attack does matter. Mitm is not about just hijacking session but as long as the real server identity can be spoofed, the transaction will be compromised.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now