BRKSEC-2008

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKSEC-200814327_04_2008_c2 2

Self-Defending Network Support for PCI

BRKSEC-2008


2

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3BRKSEC-200814327_04_2008_c2

Session Description

This session discusses the Payment Card Industry (PCI) Data Security Standard, and how you use the network to help achieve PCI Compliance.

We will cover the remote location, e-commerce sites, main campus, data center, and the network management for PCI. We will use the Cisco PCI Validated Architecture Solutions as a reference.


Agenda

Session Objectives

Compliance and PCI Overview

Applying the Network toward PCI Compliance

Key Takeaways

Q and A


3


Session Objectives

At the end of the session, you should be able to:Understand the 12 PCI Requirements

Gain knowledge of where PCI applies within your company

Apply technologies to help achieve PCI compliance


PCI Defined and Updates


4


The PCI Data Security Standard

Published January 2005, version 1.1 released September 7, 2006

Impacts all whoProcess

Transmit

Store: Cardholder data

PCI Security Standards Council maintains the standard and certifications

http://www.pcisecuritystandards.org

Payment Card Industry Data Security Standard

January 2005


PCI Industry Updates

US Level 1 Merchants Deadline was September 30, 2007: 77% are compliant

364 Level 1 Merchants (38 were given September 30, 2008 extension)

US Level 2 Merchant Deadline was December 31, 2007: 62% are compliant

1011 Level 2 Merchants (302 were given December 30, 2008 extension)

Europe Merchants: 2008 deadline

Asia Merchants: 2009 deadline

US Impact of non-compliance Level 1 merchants: $25,000–$100,000 per month fine, and will increase over time

Level 2 merchants: $5,000–$25,000 per month fine

Source: VISA January 2008


5


PCI Standards Update

New PCI Self-Assessment Questionnaires (SAQ) release

One SAQ four SAQs to reach more merchants

PCI DSS version 1.2 coming October 2008Two Information Supplements released April 22, 2008

11.3 Penetration testing6.6 Web Application Firewall

List of Qualified Security Assessors (QSA) continuously updatedList of Approved Scan Vendors (ASV) continuously updated


VISA PCI Categories –US Merchants

Level 1 Merchants

Category Criteria

Level 2 Merchants

Level 4 Merchants

More Than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year

One Million to Six Million Transactions per Year

Less Than 20,000 e-commerce Transactions per Year

Requirement

Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise

Level 3 Merchants

20,000 to One Million e-commerce Transactions per Year

Annual Onsite PCI Data Security Assessment

Quarterly Network ScanAnnual Self-Assessment

Quarterly Network Scan



Source: http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_management/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2


6


VISA PCI Categories -Canadian Merchants

Level 1 Merchants

Category Criteria

Level 2 Merchants

Level 4A Merchants

More than Six Million Visa/ MasterCard/American Express/ Discover Transactions per Year

150,000 to Six Million e-commerce Transactions per Year


Requirement

Any Merchant that Has Suffered a Hack or an Attack that Resulted in an Account Data Compromise

Level 3 Merchants

20,000 to 150,000 e-commerce Transactions per Year






Level 4A Merchants

Less than 20,000 e-commerce Transactions per Year


Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm


VISA PCI Categories -Europe Merchants

Level 1 Merchants

Category Criteria

Level 2 Merchants

Level 4 Merchants

Processed > 6,000,000 Visa Transactions per Year, Compromised in the Last Year, Identified as Level 1 by Another Card Brand


Less than 20,000 e-commerce Transactions per Year

Requirement

Level 3 Merchants







Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp


7


VISA PCI Categories -Latin America Merchants

Level 1 Merchants

Category Criteria

Level 2 Merchants

High Risk Merchants with 80% Transaction Volume (Capable of Storing Credit Card Data)E-commerce Merchants with 80% Transaction VolumeAny Merchant that Has Suffered Hack or an Attack Resulting in Account Data Compromise

High Risk Merchants with Remaining 20% of Transaction Volume

E-commerce Merchants with Remaining 20% of Transaction Volume

Requirement

Level 3 Merchants




Annual Self-Assessment




Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp


VISA PCI Categories –AsiaPac Merchants

Level 1 Merchants

Category Criteria

Level 2 Merchants

Level 4 Merchants

Processed > 6,000,000 Visa Transactions per Year


Process < 20,000 e-commerceTransactions and < One Million Transactions Regardless of Channel

Requirement

Level 3 Merchants







Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml


8


VISA PCI Categories - US, Europe and Canada Service Providers

Level 1 Service Providers

Category Criteria


All VisaNet Processors (Member and Nonmember) and All Payment Gateways

Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits More than 1,000,000 Visa Accounts/Transactions Annually

Requirement


Any Service Provider that Is Not in Level 1 and Stores, Processes, or Transmits Fewer than 1,000,000 Visa Accounts/Transactions Annually







Source: VISA http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3


The Payment Card Industry (PCI) Data Security Standard

Build and Maintain a Secure Network

Protect Cardholder Data

1. Install and maintain a firewall configuration to protect data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

3. Protect stored data4. Encrypt transmission of cardholder data and

sensitive information across public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software6. Develop and maintain secure systems

and applications

Implement Strong Access Control Measures

7. Restrict access to data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security


9


Applying Self-Defending Network to PCI


Cisco PCI Validated Architectures

Recommended architectures for networks, payment data at rest and data in-transitTesting in a simulated retail enterprise which include POS terminals, application servers, wireless devices, Internet connection and security systemsConfiguration, monitoring, and authentication management systemsArchitectural design guidance and audit review provided by PCI audit and remediation partners

PCI Audit Partner:

Retail Solution Partners:

Validated DesignSmall Retail Store


Cisco Validated Design includes:


10


Internet

PCI Solution for Retail End-to-End Architecture

Retail Store

Mobile Payments

Cisco Integrated Services Router

Authentication

Monitoring

Security SystemManagement

DatabaseServers

POS Transaction

KeyManagement

Network Management

Network Services

MDS 9000 SAN Switches

Disk Arrays

Tape Storage

WANAggregation

Core

ServiceAggregation

VPN

DMZ

Cisco Catalyst®Switches

Cisco Catalyst Switcheswith Service Modules

Store WAN Routers

WEB Application

Firewall

WEB Servers

Cisco Catalyst Switches

Edge Routers

TeleworkersCustomersPartners

Adaptive Security

Appliance

VPN

VPN

Desktop PCs and Laptops

POS Electronic

Cash Register

POSServer

Payment Devices

Cisco Catalyst Switch Cisco Aironet®

Wireless LAN Access Point

WAN

Data Center Internet Edge

StorageServer Access

VPN

Remote


Data Center Architecture

WAN RoutersSecurity services and QoS limit traffic in from business network

If the WAN connects to a public network, Virtual Private Network encryption is required

IPSec tunnels encrypt traffic to store routers

Core SwitchesHigh-speed switching and segmentation between the other layers

Service Aggregation SwitchesApplication services include quality of service, contentfiltering, and load balancing

Security services include access control, firewall, intrusion prevention

WAN Aggregation

Core

ServiceAggregation

Store WAN RoutersWAN

Authentication

Monitoring

Security SystemManagement

Network Management

Network Services

Server AccessMDS 9000 SAN Switches

Disk Arrays

Tape Storage

Storage

Data Center

Cisco Catalyst Switches with Service Modules


Overview

DatabaseServers

POS Transaction

KeyManagement


11


Service Aggregation

Data Center CoreCisco Catalyst Switches

Cisco Catalyst Switches with

Service Modules


Internet Edge

DMZ

External Web

Servers

Web Application

Server

ACE XMLGateway


Adaptive Security Appliances

VPN

Outside

Inside

PCI Solution

Edge RoutersAccess Lists limit the traffic allowed in from the internet

IPSec and secure web traffic is allowed in from the Internet

Service Aggregation SwitchesApplication services include quality of service, content filtering, and load balancing

Security services include access control, firewall, intrusion prevention

De-Militarized Zone (DMZ)Creates a limited access zone

Connects web servers and e-commerce application servers

Virtual Private Network (VPN)Connects IPSec tunnels from employee, partners or store routers

Teleworker Partners,

Employees

Customers,e-Commerce

Internet

Store BackupNetwork

Edge Routers

Internet Edge


Retail Store

PCI Solution for Retail

Intelligent Services RouterSecurity services limit the traffic allowed in and out of the store network Routing, QoS and Filtering of business data flows

Cisco Catalyst LAN SwitchesSegmentation, Quality of Service

Aironet Wireless Access PointsConnect wireless clients to the store networkSecurity and Identity services enforce central policy for encryption and authentication

Business Servers and Hosts Cisco Security Agent enforces file access and host FW policyRSA file and database security management encrypt stored dataRSA Key manager enforces key management policy

Cisco Intelligent Services Router

Desktop PCs and Laptops

POS Electronic

Cash Register

Mobile POS and Pricing

Mobile Payments

Payment Devices

WAN

Cisco Aironet Wireless LAN Access Point

Cisco CatalystLAN Switch

POS Server

Store Components


12


PCI Solution: Remote Location

Cisco 802.11AGWLAN Access Point

Cisco Integrated Services Router Cisco IOS® Security + Ethernet Switch

Inventory Management

Data VLAN/ WVLAN

POS Cash Register

Mobile POS

POS Server

Centralized Management Servers

MARS

ACS

Store Worker PC

Security Manager

WCS

PoS VLAN/

WVLAN

Wireless Controllers

CSA

Small Store

Primary WAN Connection

Alternate WAN Connection



Cisco ISRIOS Security

PoS VLAN/

WVLANData VLAN

WVLAN

Management VLAN

Vendor/Guest WVLAN

Personal Shopper/PDA for Enhanced Customer Service

Cisco 802.11a/b/g WLAN Access Points

Partner Device for Inventory Management

POS

Cisco Catalyst Switches Power over Ethernet

and Security

Mobile POS

POS ServerInventory

Management

Store Worker PC

CSA

Medium Store


MARS

ACS

Security Manager

WCS



Cisco ISR IOS Security

+Wireless LAN Controller


13



Vendor/Guest WVLAN

Management VLAN

Wireless Controllers

Data VLAN and WVLAN

Personal Shopper/ PDA Customer Service

Vendor Device for Inventory Management

Inventory Management

PoS VLAN/

WVLAN

POS

Mobile POS

POS Server

Cisco Catalyst Switches Distribution and Access

Cisco ISRsIOS Security

Cisco 802.11a/b/g WLAN Access Points

Store Worker PC

CSA

Large Store


MARS

ACS

Security Manager

WCS




Credit CardStorage

Network Environment Blue Print

Wireless Device

Remote Location Internet Edge

ISRCisco CatalystSwitch

ASA CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

7300

NCM/CAS

WAP

POS Cash Register

Mobile POS POS Server

Store Worker PC

Network Management Center

Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG AXG

ASA

IPSWAN


14


Cisco Security Manager (CSM) Topology-Centric View


PCI Requirement 1

Configuration standards, documentation

Segment card holder data from all other data

FW to public connections (Inbound and Outbound)

Wireless

Personal Firewall

28

Install and Maintain a Firewall Configuration to Protect Data


15


Requirement 1: Install and Maintain a Firewall Configuration to Protect Data

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

7200/7300

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

Data VLAN

POS VLAN

ASA

ASA ASA

AXG

VLAN


CSM Firewall ConfigurationFor YourReference


16


CSM Global Firewall ConfigurationFor YourReference


ASA: Inspection Rules


17


Network Compliance Manager (NCM)Requirement 1 Status


PCI Requirement 2

Change vendor supplied defaults

Wireless: Change wireless vendor defaults, disable SSID broadcasts, use WPA/WPA2

Configuration standards for all system components

Implement one primary function per server

Disable all unnecessary and insecure services and protocols

Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

34


18


Requirement 2: Do Not Use Vendor-Supplied Defaults for System Settings

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


PCI Requirement 2.1 for Wireless

Verify that the Cisco Controller is, by default, configured for administrative restriction and AAA authentication for administrative users

Verify that no default SSID is enabled on the WLC

Disable/remove default SNMP strings of “public/private”

Create new community strings

Verify that default community strings are no longer accessible

Configure administrative user either via initial controller setup script or via CLI

Configure wireless system for WPA authentication

Disable SSID Broadcast


19


Cisco Wireless ConfigurationFor YourReference


PCI Requirement 3

Keep cardholder data storage to a minimum

Do not store the full contents of any track from the magnetic stripe (also called full track, track, track1, track 2 and magnetic stripe data), card-validation code or value, PIN

Mask PAN when displayed, and render it unreadable when stored (hashed indexes, truncation, index tokens and pads, strong cryptography), disk encryption

Document and implement key management processes

Protect Stored Data

38


20


Requirement 3: Protect Stored Data

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


Protect Stored Data: From What?

Cisco Security Agent (CSA) protects from:Copying cardholder information to removable media (USB sticks, CD ROMs, etc.)

Copying cardholder information to different file formats

Printing cardholder information

Saving information to a local machine

Plus typical worm/virus protection (think e-commerce)


21


CSA Information Protection Creation

For YourReference


CSA Action RuleFor YourReference


22


PCI Requirement 4

Use SSL/TLS or IPSec, WPA for wireless

If using WEP:Use with a minimum 104-bit encryption key and 24 bit-initialization value

Use only in conjunction with WPA/WPA2, VPN or SSL/TLS

Rotate shared WEP keys quarterly (or automatically)

Restrict access based on MAC address

Never send unencrypted PANs by e-mail

Encrypt Transmission of Cardholder Data Across Open, Public Networks

43


Requirement 4: Encrypt Transmission of Cardholder Data Across Public Networks

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


23


IPSec Point-to-Point Tunnels

GET VPN: Tunnel-less VPNs

Scalability—an issue (N^2 problem)Overlay routingAny-to-any instant connectivity cannot be done to scaleLimited advanced QoSMulticast replication inefficient

Data is encrypted without need for tunnel overlay—scalable any-to-anyRouting/multicast/QoS integration is optimal—native routingEncryption can be managed by either subscribers or service providersCustomized, per-application encryption

Tunnelless VPN

A New Security Model

Multicast

WAN


IronPort: PCI Compliance over Email

Comprehensive Scanning for Cardholder Info

Integrated Encryption and Remediation

Auditable Reporting

Users Outbound Mail IronPort Email Security Appliance

Comprehensive Detection:• Credit Card Smart Identifier• Preloaded PCI Lexicons Dictionary• Embedded Attachment Scanning

Integrated Remediation:• Universal Message Encryption• Quarantine, Archive Capabilities • Notifications• Reporting

“IronPort meets PCI compliance requirements in an easy to administer, transparent manner.”—Brian Burke, Director, Secure Content, IDC

“IronPort has provided customers with an easy to deploy, use, and manage PCI compliance solution for email.”—Barry Johnson, Director, Risk Mitigation, IGXGlobal

Automatic Detection and Encryption of Credit Card Info

46

Internet


24


NCM Requirement 4 StatusFor YourReference


Cisco Wireless ConfigurationFor YourReference


25


PCI Requirement 5

Deploy anti-virus software on all systems commonly affected by viruses

AV programs capable of detecting, removing, and protecting against all forms of malicious software, including spyware and adware

Ensure that all AV mechanisms are current, actively running, and capable of generating audit logs

Use and Regularly Update Anti-Virus Software or Programs

49


Requirement 5: Use and Regularly Update Anti-Virus Software

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


26


NAC ManagerFor YourReference


Adding NAC A/V RuleFor YourReference


27


NAC Rule ListFor YourReference


NAC A/V Update


28


IronPort A/V

Preventive Defense + Reactive DefensesVirus Outbreak Filters + Anti-Virus Signatures

Ease of Deployment and Zero ManagementAutomatic Updates Email Security: Highest Virus Transmission Medium

Sophos Anti-Virus Signatures

McAfee Anti-Virus Signatures

IronPort Virus

Outbreak Filters

Industry Leading Defense in Depth Solution


PCI Requirement 6

Systems and software have latest vendor-supplied security patches installed; install relevant security patches within one month of release

Establish process to identify new security vulnerabilities (subscribe to alert services, etc.)

Develop SW applications based on industry best practices and incorporate security throughout SW development lifecycle

Develop web application based on secure coding guidelines such as the Open Web Application Security Project

Web-facing applications are protected against known attacks by installing an application layer firewall in front of web-facing applications, or review application code by a specialized application security organizations

Develop and Maintain Secure Systems and Applications


29


Requirement 6: Develop and Maintain Secure Systems and Applications

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


OWASP’s 2007 Top TenFor YourReference


30


Cisco Application Control Engine (ACE) XML Gateway

1. Define hosts to protect

2. Define policies per host

We are going to validate GET and POST parameters

AXG in Action: Blocking XSS Attacks



1. Define acceptable range for each GET or POST query parameter

2. Attack detected and blocked


31



1. Alternatively, use a blacklist approach using Cisco-verified signatures


PCI Requirement 7

Limit access to computing resources and cardholder information only to those individuals whose job requires such access

Establish a mechanism for systems with multiple users that restricts access based on a user’s need to know and is set to “deny all” unless specifically allowed

62

Restrict Access to Cardholder Data by Business Need-to-Know


32


Requirement 7: Restrict Access to Data by Business Need-to-Know

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


CSA Action RuleFor YourReference


33


When a User Attempts to Save a Change…

For YourReference


CSA Manager Event LogFor YourReference


34


PCI Requirement 8

Identify all users with a unique user name before allowing access to system components or cardholder data

In addition, employ one method of authentication (password, token devices [SecureID, certificates or public key], biometrics)

Implement two-factor authentication

Encrypt all passwords during transmission and storage

67

Assign a Unique ID to Each Person with Computer Access


Requirement 8: Assign a Unique ID to Each Person with Computer Access

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


35


Cisco Secure Access Control Server (ACS)

For YourReference

Administration Accounts


Cisco ACSFor YourReference

Only Allow HTTPS Connections


36



Idle Timeouts and Failed Attempts



Map to Active Directory


37


PCI Requirement 9

Facility entry controls and monitor physical access to systems that store, process or transmit cardholder data

Cameras to monitor sensitive areas

Restrict physical access to network jacks, wireless access points, gateways, and handheld devices

Distinguish between employees and visitors

Visitor log in, physical token, authorization before entering area

Physically secure card holder data media

Destroy media when it is no longer needed

73

Restrict Physical Access to Cardholder Data


PCI Requirement 10

Implement automated audit trails

Record audit trail entries

Secure audit trails so they cannot be altered

Review logs for all system components at least daily

Destroy media when it is no longer needed

Retain audit trail history for at least one year, with a minimum of three months online availability

74

Track and Monitor All Access to Network Resources and Cardholder Data


38


Requirement 10: Track and Monitor All Access to Network and Cardholder Data

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


PCI DSS Requirement 10: “Is Administrator Access to the End Systems Monitored?”

Critical System Access MonitoringCS-MARS: PCI DSS Requirement 10


39


CS-MARS PCI Reports/Reporting

Detailed Monitoring and Reporting for PCI RequirementsComprehensive PCI Reports

PCI Reports Group

For YourReference


PCI Reports GroupComprehensive and Detailed Reports and Reporting

For YourReferenceCS-MARS for PCI Reporting


40




PCI Requirement 11

Use a wireless analyzer at least quarterly to identify all wireless devices in use

Run internal and external network vulnerability scans at least quarterly and after any significant change in the network

Perform penetration testing at least once a year and after any significant upgrade or modification

Use NIDS/IPS, HIDS/HIPS

Deploy file integrity monitoring software to perform critical file comparisons at least weekly

80

Regularly Test Security Systems and Processes


41


Requirement 11: Regularly Test Security Systems and Processes

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


Cisco ASA 5500 Series and IPS Network Environment Blue Print for PCI

Credit CardStorage

Wireless Device



ASA CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

ASA

IPSWAN

ASA7200/7300

ASA

IPS

ASA IPS, Cisco IOS IPS, or ISR AIM IPS

IPS 4200, ASA-IPS or IDSM-2

IPS 4200 or ASA-IPS


42


CS-MARS: PCI DSS Requirement 11

PCI DSS Requirement 11: “Is the Wireless Network Being Monitored and Are New Wireless Devices Identified?”

Cisco Wireless Controller

Wireless Access Detection


Wireless Controller Configuration

Untrusted AP Policy

Rogue Location Discovery Protocol………………………Disabled

RLDP Action ……………………………………...Alarm Only

Rogue APs

Rogues AP advertising my SSID ………………….Alarm Only

Detect and report Ad-Hoc Networks ………………Enabled

For YourReference

Scan for and Detect Rogue APs and Wireless Devices


43


Cisco Security ManagerIPS Device-Centric Signature View


Cisco Security ManagerPolicy-Centric Signature View


44


Cisco Security Agent (CSA)PCI Rule Modules


CSA PCI Requirement 11 Modules


45


CSA PCI Module Drill-Down


NCM Requirement 11 Status


46


PCI Requirement 12

Establish, publish, maintain, and disseminate a security policy

Develop usage policies for critical employee-facing technologies

Implement a security awareness program

Implement an incident response plan

If cardholder data is shared with service providers, the SP mustadhere to the PCI DSS requirements

91

Maintain a Policy that Addresses Information Security for Employees and Contractors


Requirement 12: Maintain a Policy that Addresses Information Security

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

CSA

WAP

E-commerce

NCM/CAS

WAP

POS Cash Register


Store Worker PC


Data Center

CSMACS

WAP

CSACSA

ASA

IronPort

AXG

IPSWAN

ASA

ASA ASA

AXG

7200/7300


47


CSM Workflow

What Is It?Structured process for change management that complements your operational environment

ExampleWho can set policies

Who can approve them

Who can approve deployment and when

Who can deploy them

BenefitProvides scope of control

Policy Deployment

Network Operations

Policy Deployment

Undo

Security Operations

Policy Definition

ApproveJob

DeployGenerate/

SubmitJob

Rollback

Firewall, VPN, and IPS Services

“Enable Different Management Teams to Work Together”

Review/Submit

Create/Edit Policy

Approve/Commit


Cisco Secure ACS

Cisco Security Manager

AAA

Home Office

Remote Access

Cisco IOS Software

Cisco PIX®

Firewall and Cisco ASA

CSM Role-Based Access Control

What Is It?Authenticates administrator’s access to management systemDetermines who has access to specific devices and policy functions

ExampleVerifies administrator and associate administrators to specific roles as to who can do what

BenefitEnables delegation of administrator tasks to multiple operators Provides appropriate separation of ownership and controls


48




Cisco Solution for PCI

Credit CardStorage

Wireless Device



CS-MARS

NAC

CSA

Main Office

6500 Switch

CSA

E-commerce

NCM/CAS

WAP

POS Terminal

POS Server

Store Worker PC


Data Center

CiscoSecurityManagement

ACS

WAP

CSA

CiscoSecurityAgent (CSA)

IronPort

AXG

IPSWAN

ASA 5500

ASA ASA

AXG

7300 Router

Requirement 1 Requirement 4 Requirement 7 Requirement 10Requirement 2 Requirement 5 Requirement 8 Requirement 11Requirement 3 Requirement 6 Requirement 9 Requirement 12

CSA


49


PCI Solution Mapping

12

n/an/an/an/a11

n/an/an/a10

n/an/an/an/an/an/an/an/an/an/an/an/an/a9

n/an/an/an/an/an/a8

n/an/an/an/a7

n/an/an/an/an/an/a6

n/an/an/an/an/an/an/a5

n/a

n/a

n/a

n/a

ACS

n/a

n/a

n/a

n/a

ACE XML

n/a

NCM

n/a

CSM

n/a

n/a

n/a

IronPort

n/a

n/a

6500

n/a

n/a

n/a

n/a

NAC

n/a

n/a

n/a

n/a

IPS

n/a4

n/an/an/a3

n/a2

1

WLANMARSCSAASAISRPCI


Cisco PCI Services


50


Services from Cisco and Cisco Security Specialized Partners

Supporting your efforts to achieve complianceIdentify and remediate gaps in your current network environment relative to the PCI Data Security Standard

Gap analysis and remediation plan

Design and implementation

Supporting your efforts to stay compliantAsset monitoring and support for configuration and change management

Quarterly security gap analysis

Periodic reporting of PCI-critical device status

*PCI compliance service capabilities may vary by region


Gap Analysis and Remediation Plan

PCI Analysis ToolsetCollects data about devices and configurations (Cisco and third party)

Analyzes your network for gaps relative to PCI Data Security Standard requirements

Cisco engineer creates a tailored remediation plan that includes a prioritized set of actions for closing compliance gaps

Identifies Gaps in Your Network Components and Systems, Policies, and Processes

For YourReference


51


Design and Implementation

Security Policy DefinitionDevelop or refine your company’s high-level goals, procedures, rules, and requirements for securing its information assets

Design Review, if necessaryProvide design review if the PCI gap analysis and remediation plan suggest it

ImplementationImplement your solution on time and on budget by following a thorough, detailed implementation process based on best practicesRealize business and technical goals by installing, configuring, and integrating new system components in accordance with remediation plan recommendations

Best Practices for Implementing the Remediation Plan Recommendations

For YourReference


Asset Monitoring and Support for Configuration and Change Management

Asset MonitoringMonitor and manage devices critical to your PCI-compliant network in real time 24 hours a day, 365 days a yearIdentify anomalies, events, or trends that might adversely affect your network security Provide consolidated status reports that you can use with your stakeholders and third parties such as auditors

Configuration Management SupportImprove operational efficiency by maintaining an accurate, reliable system configuration database and managing configuration changes through an orderly, effective process

Change Management Support Reduce operating costs and limit change-related incidents with a consistent and efficient change management process

For YourReference


52


Quarterly IncrementalSecurity Gap Analysis

Assess for Changes that Might Affect Compliance

Provide Improvement Recommendations and Remediation Services as Needed

For YourReference


Summary


53


Summary

PCI is moving rapidly to global importance

PCI Compliance encompasses Security Best Practices

Work closely with Approved Scan Vendor and Qualified Security Assessor to understand expectations

Use Cisco’s PCI Validated Architectures as a guide to ease design and implementation

Key Take Aways


More Information

Cisco Compliance informationhttp://www.cisco.com/go/compliance

http://www.cisco.com/go/retail

VISA Cardholder Information Security Programhttp://usa.visa.com/merchants/risk_management/cisp.html

MasterCard PCI Merchant Educationhttp://www.mastercard.com/us/sdp/education/pci%20merchant%20education%20program.html

PCI Security Standards Councilhttps://www.pcisecuritystandards.org/


54


Relevant Security Sessions

Advanced IPSec with GET VPNBRKSEC-4012

Secure MessagingBRKSEC-2052

Deploying Cisco Network Admission Control ApplianceBRKSEC-2041

Understanding Host-Based Threat Mitigation TechniquesBRKSEC-2031

Deploying Network-Based Intrusion Prevention SystemsBRKSEC-2030

Firewall Design and DeploymentBRKSEC-2020

Deploying Dynamic Multipoint VPNsBRKSEC-2012

Deploying Site-to-Site IPSec VPNsBRKSEC-2011

Deploying Cisco IOS SecurityBRKSEC-2007

Inside the Perimeter: Six Steps to Improving Your Security MonitoringBRKSEC-2006

Monitoring and Mitigating ThreatsBRKSEC-2004


Q and A


55


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press®

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes; winners announced daily.

Receive 20 Passport points for each session evaluation you complete

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


56


Documents

BRKSEC-2008