Self-Defending Network Support For PCI: BRKSEC-2008
Self-Defending Network Support For PCI: BRKSEC-2008
Self-Defending Network Support For PCI: BRKSEC-2008
BRKSEC-2008
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3
Agenda
Session Objectives
Compliance and PCI Overview
Applying the Network toward PCI Compliance
Key Takeaways
Q and A
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5
PCI Defined
and Updates
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9
Source:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_manage
ment/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10
Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11
Level 2 Any Service Provider that Is Not in Annual Onsite PCI Data
Service Level 1 and Stores, Processes, or Security Assessment
Providers Transmits More than 1,000,000 Visa
Accounts/Transactions Annually Quarterly Network Scan
Source: VISA
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_
management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15
Maintain an
Information 12. Maintain a policy that addresses
Security Policy information security
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17
Validated Design
Small Retail Store PCI Audit Partner:
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18
PCI Solution
Store Backup
Internet Edge Customers,
e-Commerce
Network Teleworker
Partners,
Edge Routers Employees
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22
MARS Centralized
Management
ACS Servers
Cisco 802.11AG
Mobile WLAN Access Point
POS
Inventory
Management
PoS Store
VLAN/ CSA Worker PC
WVLAN POS Cash
Register POS Server Data VLAN/
WVLAN
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23
MARS Centralized
Alternate WAN Primary WAN Management
Connection Connection Servers
ACS
Security
Manager
Store
Data VLAN
Worker PC
and WVLAN
Inventory
Mobile POS Management
PoS POS
VLAN/
WVLAN CSA POS Server
Personal Shopper/ PDA Vendor Device for
Customer Service Inventory Management
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Vendor/Guest WVLAN 25
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
7300 ASA
ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27
PCI Requirement 1
Install and Maintain a Firewall Configuration
to Protect Data
Configuration standards, documentation
Segment card holder data from all other data
FW to public connections (Inbound and Outbound)
Wireless
Personal Firewall
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29
For Your
CSM Firewall Configuration Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33
PCI Requirement 2
Do Not Use Vendor-Supplied Defaults for System
Passwords and Other Security Parameters
Change vendor supplied defaults
Wireless: Change wireless vendor defaults, disable
SSID broadcasts, use WPA/WPA2
Configuration standards for all system components
Implement one primary function per server
Disable all unnecessary and insecure services
and protocols
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37
PCI Requirement 3
Protect Stored Data
Keep cardholder data storage to a minimum
Do not store the full contents of any track from the magnetic
stripe (also called full track, track, track1, track 2 and
magnetic stripe data), card-validation code or value, PIN
Mask PAN when displayed, and render it unreadable when
stored (hashed indexes, truncation, index tokens and pads,
strong cryptography), disk encryption
Document and implement key management processes
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41
For Your
CSA Action Rule Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44
WAN
Multicast
Scalability—an issue (N^2 problem) Data is encrypted without need for tunnel
Overlay routing overlay—scalable any-to-any
Any-to-any instant connectivity cannot be Routing/multicast/QoS integration
done to scale is optimal—native routing
Limited advanced QoS Encryption can be managed by either
subscribers or service providers
Multicast replication inefficient
BRKSEC-2008
Customized, per-application encryption
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47
For Your
Cisco Wireless Configuration Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51
For Your
Adding NAC A/V Rule Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54
IronPort
McAfee Sophos
Virus
Anti-Virus Anti-Virus
Outbreak
Signatures Signatures
Filters
PCI Requirement 6
Develop and Maintain Secure Systems and Applications
Systems and software have latest vendor-supplied security
patches installed; install relevant security patches within one
month of release
Establish process to identify new security vulnerabilities (subscribe
to alert services, etc.)
Develop SW applications based on industry best practices and
incorporate security throughout SW development lifecycle
Develop web application based on secure coding guidelines such
as the Open Web Application Security Project
Web-facing applications are protected against known attacks
by installing an application layer firewall in front of web-facing
applications, or review application code by a specialized
application security organizations
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57
For Your
OWASP’s 2007 Top Ten Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61
PCI Requirement 7
Restrict Access to Cardholder Data
by Business Need-to-Know
Limit access to computing resources and cardholder
information only to those individuals whose job requires
such access
Establish a mechanism for systems with multiple users that
restricts access based on a user’s need to know and is set
to “deny all” unless specifically allowed
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63
For Your
CSA Action Rule Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65
For Your
CSA Manager Event Log Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68
Administration Accounts
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69
For Your
Cisco ACS Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71
For Your
Cisco ACS Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73
PCI Requirement 10
Track and Monitor All Access to Network Resources
and Cardholder Data
Implement automated audit trails
Record audit trail entries
Secure audit trails so they cannot be altered
Review logs for all system components
at least daily
Destroy media when it is no longer needed
Retain audit trail history for at least
one year, with a minimum of three
months online availability
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77
For Your
CS-MARS for PCI Reporting Reference
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79
PCI Requirement 11
Regularly Test Security Systems and Processes
Use a wireless analyzer at least quarterly to identify all
wireless devices in use
Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network
Perform penetration testing at least once a year and after
any significant upgrade or modification
Use NIDS/IPS, HIDS/HIPS
Deploy file integrity monitoring software to perform critical
file comparisons at least weekly
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco
IPS
Catalyst ISR 6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register
NCM/CAS
ASA
7200/
ASA 7300 ASA CS-MARS
WAP IPS
WAN
Cisco
Catalyst ISR ASA
6500 WAP
Switch ASA CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83
For Your
Wireless Controller Configuration Reference
Untrusted AP Policy
Rogue Location Discovery Protocol………………………Disabled
RLDP Action ……………………………………...Alarm Only
Rogue APs
Rogues AP advertising my SSID ………………….Alarm Only
Detect and report Ad-Hoc Networks ………………Enabled
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93
Benefit
Enables delegation of
administrator tasks to Home
Office
multiple operators
Provides appropriate separation
of ownership and controls
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95
999
CSA Security
POS POS Server
Terminal 999 NAC
Management
IronPort 9999
999 ASA 5500
9999 9
NCM/CAS
99 7300
9999 Router ASA ASA CS-MARS
WAP
999 99 9999
Cisco
WAN
IPS 999
Catalyst ISR
6500 9999
Switch
9999 9999 Switch
WAP
9 999 9 CSA
Store
999 AXG 9999 999
9 AXG Credit Card
Worker PC
99
Wireless 9CSA
Storage
999
CSA
Device
999
E-commerce Data Center
Requirement 1 Requirement 4 Requirement 7 Requirement 10
Requirement 2 Requirement 5 Requirement 8 Requirement 11
BRKSEC-2008
Requirement 3 Requirement 6 Requirement 9 Requirement 12
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96
Iron ACE
PCI ISR ASA CSA MARS WLAN IPS NAC 6500
Port
CSM NCM
XML
ACS
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103
Summary
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105
More Information
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107
Q and A
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110