Tuesday, September 12, 2006

PCI Specification, Requirement 1

This is a point by point explanation of where TNT's solution satisfies all requirement number 1 specifications. The fact that TNT's solution deploys in hours and can begin enforcement very quickly lets companies move quickly to satisfy the requirements.

The one thing missing from the spec that I feel is VERY important is a baseline audit of the environment you will be working to protect. Without it, you will set yourself up to constantly be trying to change a tire on a moving car and fixing what is wrong with more wrong things, possibly making the envorment more open and less restrictive.

1.1 Establish firewall configuration standards that include the following:

1.1.1 A formal process for approving and testing all external network connections and changes to the firewall configuration TNT Does this in real time

1.1.2 A current network diagram with all connections to cardholder data, including any wireless networks TNT Auto discovers users, machines, networks, servers, applications (port)

1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone TNT will segment and enforce your policies by user, device, group, application, server, or network

1.1.4 Description of groups, roles, and responsibilities for logical management of network components TNT proactively manages this in real time

1.1.5 Documented list of services and ports necessary for business TNT will auto discover ALL ports (even rogue) and allow you to report them and restrict them in real time

1.1.6 Justification and documentation for any available protocols besides hypertext transfer protocol (HTTP), and secure sockets layer (SSL), secure shell (SSH), and virtual private network (VPN) TNT logs all connection data between users and ports

1.1.7 Justification and documentation for any risky protocols allowed (for example, file transfer protocol (FTP), which includes reason for use of protocol and security features implemented TNT will manage access by user and/or machine to all known ports on a server (65,000)

1.1.8 Quarterly review of firewall and router rule sets TNT will enable you to establish and audit policy in real time, before enforcement is enabled, so you get to see what will happen before you shut off access

1.1.9 Configuration standards for routers.

1.2 Build a firewall configuration that denies all traffic from “untrusted” networks and hosts, except for protocols necessary for the cardholder data environment. This is what TNT’s solution does

1.3 Build a firewall configuration that restricts connections between publicly accessible servers and any system component storing cardholder data, including any connections from wireless networks. This firewall configuration should include the following:

1.3.1 Restricting inbound Internet traffic to Internet protocol (IP) addresses within the DMZ (ingress filters) TNT denies all connections that are not from a specific user, machine, IP address, etc. providing unparalleled control

1.3.2 Not allowing internal addresses to pass from the Internet into the DMZ TNT will allow you to restrict access by known/trusted user and known/trusted device to any network segment

1.3.3 Implementing stateful inspection, also known as dynamic packet filtering (that is, only ”established” connections are allowed into the network) This is TNT’s core functionality – TNT controls access based on what is in the SYN header of every packet on the network

1.3.4 Placing the database in an internal network zone, segregated from the DMZ TNT establishes a virtual physical zone so that only one user from one machine has access to a single application, even if there are other applications on the server

1.3.5 Restricting inbound and outbound traffic to that which is necessary for the cardholder data environment TNT will do this by user and machine, restricting access to only a few users from a few specific machines

1.3.6 Securing and synchronizing router configuration files. For example, running configuration files (for normal functioning of the routers), and start-up configuration files (when machines are re-booted) should have the same secure configuration

1.3.7 Denying all other inbound and outbound traffic not specifically allowed TNT was built to do this, by embedding identity information in packets and allowing/denying access by the information in the packets

1.3.8 Installing perimeter firewalls between any wireless networks and the cardholder data environment, and configuring these firewalls to deny any traffic from the wireless environment or from controlling any traffic (if such traffic is necessary for business purposes) Installing TNT’s solution behind an AP, allows you to track and control every connection through it

1.3.9 Installing personal firewall software on any mobile and employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization’s network. TNT’s solution builds a unique and unalterable identity of each machine in the environment and combines this with authenticated user information to create pervasive identity against which access controls are applied

1.4 Prohibit direct public access between external networks and any system component that stores cardholder data (for example, databases, logs, trace files). TNT would accomplish this by keeping all non identified users from any and all networks, infrastructure, applications and data in an enforced policy

1.4.1 Implement a DMZ to filter and screen all traffic and to prohibit direct routes for inbound and outbound Internet traffic

1.4.2 Restrict outbound traffic from payment card applications to IP addresses within the DMZ.

1.5 Implement IP masquerading to prevent internal addresses from being translated and revealed on the Internet. Use technologies that implement RFC 1918 address space, such as port address translation (PAT) or network address translation (NAT). TNT stops all masquerading of identity because we have a known users FQDN & unique machine ID hashed and encrypted and embedded in every packet. You cannot be anyone else from any other machine

Stay tuned for the Second requirement

identitystuff @ gmail.com


Anonymous pci said...

This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.

Wednesday, May 13, 2009 9:39:00 PM  

Post a Comment

<< Home