PCi Compliance in a data center
Last Post: April 29, 2011:
I didn't know where to put this question, so I'm using the CWSP forums, although I do not think the CWSP cert discusses PCI-Compliance in a Data center.
I was under the assumption as long as you are using WPA2-enterprise with a WIDS/WIPS solution, and ensuring proper physical security of the devices, that there should be no security issues.
Does anyone have any experience implementing WLAN in a Data center that meets the PCI-Compliance? Our security team has just informed us that WLANs in a data center are against the PCI-compliance thats why I am bringing up this point.
Any feedback on this matter would be appreciated.
The short answer is yes you can.
Many vendors have guides to do just this depending on your specifc requirements.
wIPS is beneficial so would be rogue detection, creation of a specific policy and auditing are also improtant,
If you have a vendor in mind check their site but you may wish to start here
Thanks for the info Pete. That document reinforces the points made in the CWSP study guide.
This document tells me is that the PCI standards must be applied in every CDE. However, this document and the CWSP guide do not specify [b]What a CDE could be[/b].
The examples from the PCI Standards document convey the idea that the CDE exists only in a retail / Point of Sale environment. There is no mention of Data Centers, and since many retailers with multiple chains process their credit card info at a data center, I'm under the assumption that data centers would fall under the category of CDE?
My personal view is that if it is not firewalled off and you use credit card transaction the WLAN must comply. Simply firewalling the WLAN off would be OK hwever you would not then use it for credit card transactions.
However there are some very very god reasons behind PCI compliance that would be good practice in any WLAN environment. Also remember that even if you do not have a LWNA in your CDE you still need to scan regularly for rogue access points etc. That could form part of the PCI implementation.
Generally I would agree that the datacentre is part of the CDE as you would store process etc card transactions there and it is connected to the same wired neteork as POS etc.
Yep, I agree with Pete. As far as PCI-DSS is concerned. Any system that handles, transmits, or stores card holder data is considered within scope. This includes the WLAN and segments of the data centre.
That is why it is important to use stateful firewalls to segment off those parts of your network that never touch card holder data. Effectively firewalling them off takes them out of scope. So, if you have nothing on your WLAN that plays in the CDE then you should do what you can to segment it off and save yourself a lot of work.
That being said, Pete is also correct that, you will still need to do wireless scans or have a WIPS in place to actually be able to prove compliance.
At least one document on the PCI site that Pete mentions has a definition of what the CDE really is.
Many people are confused and think wireless is totally forbidden under the PCI requirements. It is not.
All in all I think the PCI standards are too weak (a little wishy-washy in places), but they do seem to be trying to improve.
I agree with Wlanman. Many many WLAN solutions that I see carved out by institutions as "requirements" are simply not as good as they could be. I do some government work in the UK and the have CESG Manual Y. It simply requires EAP-TLS, no rogue detection, no wIPS etc.
PCI DSS I feel is a wrk in progress. In some areas its good in other areas leaves a little to be deired, however I can see that it is trying to be all things to all people. If we consider a small shop with a single access point or a restaurant then 802.1x is probably a stretch. However a corpoarate environment such as a chain with a datacentre can deploy more expensive and complete solutions.
I dont easily agree with the segregation of the WLAN from the CDE either as asy we get someone doing some work via wireless on cardholder data, if the WLAN is non compliant then the card holder data is exposed even though its firewalled, yes they should not be able to but thats again down to policy and access management. Even putting your WLAN out of scope by using foirewalls you still have to use some wireless magic to prove you have no rogues etc so why not build a compliant WLAN and use its capabilities to monitor the infarstructure from a wireless perspective aswell.
Equally even if you build your WLAN behind a firewall as a consultant I would advise the addition of wIPS and audit capabilities for complete peace of mind.
Just think Playstation all the time they are banging on about how harsh it is that their software gets hacked while someone steals 70 million credit card details. Im not saying thats wireless but you can never ever be too secure. (Apologies my litttle soap box)
[quote]I dont easily agree with the segregation of the WLAN from the CDE either as asy we get someone doing some work via wireless on cardholder data, if the WLAN is non compliant then the card holder data is exposed even though its firewalled,... why not build a compliant WLAN and use its capabilities to monitor the infarstructure from a wireless perspective aswell.[/quote]
While I agree in principle and from a technical standpoint with you, if someone is actually trying to achieve PCI-DSS compliance then they are required to use some form of stateful access control between the WLAN and LAN even if it is in scope. It's not optional (Requirement 1.2.3 I believe). Complete segregation is optional but not the actual access control portion.
Either way, I agree with you that if you design the WLAN properly and securely, 95% of compliance will be taken care of even if you don't know anything about PCI-DSS. From there, it's just a matter of jumping through a few hoops.
Requirement 1.2.3 states "Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment."
However it comes down to design, business practice etc, does Joe in accounts who uses a laptop via wireless and manages some portion of card transactions count as a a part of the CDE, you begin getting into business practices and then IF you say well "When Joe looks at card transactions he must use a dedicated hard wired pc" Human nature dictates that we are all lazy and will all if in Joes position at some point in time use our wireless connection. So its much easier to have it all in scope not firewalled off and compliant, no mistakes, no changing work practices etc.
If its all in its all in no arguing if its in or out and Joe compromising the network. Its only IF the WLAN is NOT part of the CDE that it MUST be firewalled.
I do however see alot of grey areas and whenever PCI is discussed it always without fail gets very entertaining. The more unfortunate aspect of PCI compliance is that some companies who actually assess PCI compliance are not competent to do so, I have seen networks pass in the last 12 months that still used WEP. I would alos suggest working with the compliance officers to ensure you gave them a warm fuzzy glow.
Personally I think WLANs are now potentially more secure than LANs IF you can get physical access. How many companies use wire side 802.1x, IPS inside the perimeter, NAC etc. If you are an enterprise putting in a WLAN today with a reputation to uphold, do it properly rather than wanging a few aps on the wall with a bit of encrytion.
[quote]If its all in its all in no arguing if its in or out and Joe compromising the network. Its only IF the WLAN is NOT part of the CDE that it MUST be firewalled.
I do however see alot of grey areas and whenever PCI is discussed it always without fail gets very entertaining. [/quote]
Agreed, a lot of the standard is based on the interpretation of the QSA involved. In this case I am included to disagree with your interpretation but then again, that's really the problem with the standard now isn't it? We'll have to just agree to disagree ;-)
Good point on the inherent security of WLANs vs LANs. Definitely there is more 'baked in' security in the WLAN world.