Segmentation Fault
The subject of segmentation is and probably always will be a hot topic in the world of PCI. Effective segmentation is the primary subject of conversations as organizations struggle to reduce the scope and the subsequent financial impact of achieving and sustaining PCI compliance. Due to the massive amount of implementation possibilities, it would be very difficult for the PCI SSC to take a specific stance and define what actually constitutes “effective segmentation.”
So this leaves us with every QSA’s and merchants favorite PCI SSC chant. “It’s up to the QSA.”
One big area of the segmentation discussion surrounds the use of VLAN’s as a part of segmenting the CHD. Dr. W. David Sincoskie and Chase Cotton created and refined the algorithms that eventually became VLAN’s and published their work in the 1988 IEEE Network (http://en.wikipedia.org/wiki/Virtual_LAN). Since then, VLAN’s have become a major part of most networking environments today. However, VLAN’s have been getting a bad rap from the security population in recent years.
The PCI Wireless Guideline information supplement that was published in July of 2009 states:
“Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place."
Relying on VLAN based segmentation is not sufficient? Does this suggest that the only method of proper segmentation would air gapping? Which is to say that each network must completely stand on its own, never traversing a common infrastructure. This common infrastructure would include firewalls, switches and routers.
This approach is not feasible in an enterprise environment, nor do I believe is really the intent of this writing, although I’m at a loss as to how they would suggest that you segment if you are not to use VLAN’s at all.
The issue with segmentation is not with the use of VLAN’s for segmentation. The real concern is with how data is managed that traverses one or more VLAN’s. The devices, technologies and processes that are used to regulate, manage and inspect data that flows from a VLAN of one security level to another should be the focus of concern.
Are access lists ok? What about firewalls? How about Deep Packet Inspection?
Access lists are a common way of managing data flow between VLAN’s. Access lists can be applied to routers, firewalls and switches. If a standard access list is used to manage traffic, the access must be defined for both ingress and egress. An access list entry must be added to allow traffic to exit a VLAN and another access list is needed to allow the traffic to re-enter the VLAN. These access lists create open persistent “holes” for the traffic to pass through
The security concern with this approach is that defined “open” access might have to be used to allow traffic from a level of lower security to a level of higher security creating a possible attack vector or path to enter the area of higher security.
Reflexive access lists (also known as IP session filtering ACL’s) are designed to alleviate this problem by monitoring the connection state and only allowing return traffic for established sessions. For example, if traffic is exiting VLAN1, destined for VLAN2, the RACL notes the destination address and port and will only allow return traffic from that destination and destined for the defined port. This prevents the need to add an access list for return traffic. In-turn reducing the exposure of the open ports when not needed. It is important to note that RACL’s only provide full session awareness for TCP. With other protocols RACL’s use timeouts to remove idle sessions.
A firewall adds an additional level of security to reflexive access lists by providing full session state monitoring for all protocols as well as deep packet inspection capabilities. Deep packet inspection takes a further look into the payload of the traffic that is passing through the firewall in order to inspect the content contained within the TCP encapsulation.
PCI DSS requirement 1.2.3 states:
Install perimeter firewalls between 1.2.3 any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment.
VLAN security has come a long way since the introduction of VLAN hopping or double tagging in 2000. Vendors have increased the level of security features in the switches and routers as well as provided more detailed implementation and configuration instructions. In virtually every case, proper configuration of the networking environment reduces the risk of these vulnerabilities.
VLAN’s are an essential part of managing enterprise networking environments. While the most secure network architecture will be a complete air-gapped environment, chances of you coming across one outside of your local donut shop isn’t very high. Don’t be afraid to roll your sleeves up and get your hands dirty with the details. Grab your QSA and pull them into the ditch with you and force them to think.
How do you think I learned?