11 Strategies to Deploy PCI Compliant Networks

1,182 views

Published on

Companies that store, process, or transmit credit card information must comply with the Payment Card Industry Data Security Standard (PCI-DSS).

Failure to comply can result in fines, lawsuits, and even bans from processing credit cards. Even worse, companies that are breached can find themselves in the news headlines, significantly impacting goodwill with customers, partners, and shareholders.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,182
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
16
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

11 Strategies to Deploy PCI Compliant Networks

  1. 1. Achieving PCI ComplianceCradlePoint WebinarJuly 31, 2012Global Leader in 4G Network Solutions Ken Hosac VP Business Development Rudy Cedillo Sr. Enterprise Support Engineer
  2. 2. Achieving PCI Compliance Agenda §  CradlePoint Overview –  Target  market   –  Solu0on  overview   §  Introduction to PCI Compliance –  The  standards  framework   –  Business  drivers   –  Compliance  &  monitoring   –  Customer  pain-­‐points   §  PCI-DSS Requirements & Recommendations –  Goals  &  requirements   –  Valida0on  methodology   –  CradlePoint  recommenda0ons  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     2
  3. 3. CradlePoint Target Market Distributed Enterprise Retail Stores M2M: Kiosks & ATMs CradlePoint  provides   3G/4G  networking  solu0ons   to  distributed  enterprise   Restaurants Branch Offices Convenience Stores CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.    
  4. 4. Connecting Distributed Enterprise through Wireless 4G/3G Solution Overview WiPipe  Central   On-­‐Site  Services   Applica9on  &  Management  Pla<orm   Site  Survey,  Installa9on,  Maintenance   Network Administrator Enterprise  Router   Enterprise  Bridge   M2M  Router   for  Small-­‐Footprint  Retail/Branch   for  Business  Con0nuity   for  Connected  Devices   CradlePoint CradlePoint ARC CBA750 DSL ARC MBR1400 Modem Router Bridge CradlePoint M2M Router Existing Router Juniper, Cisco, etcCradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     4
  5. 5. Overview of the PCI Standards Achieving PCI ComplianceCradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     5
  6. 6. Achieving PCI Compliance PCI Security Standards § Background § Business Drivers – Objec0ve  is  to  protect  cardholder  data   – Companies  that  fail  to  comply  are   – Required  for  any  company  that  stores,   subject  to  fines,  lawsuits,  and  can   processes  or  transmits  credit  card  info   even  be  banned  from  processing   – Founded  by  5  major  financial  brands,   credit  cards.       including:   – Companies  that  are  breached  can   §  AmEx,  Discovery,  JCB,  MasterCard,  Visa   find  themselves  in  the  news   – Par0cipants  include  hundreds  of   headlines,  significantly  impac0ng   industry  en00es   goodwill  with  customers,  partners   and  shareholders.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     6
  7. 7. Achieving PCI Compliance PCI Security Standards (continued) §  PCI-SSC publishes three standards –  PCI-­‐DSS  (PCI  Data  Security  Standards):   Applies  to  any  en0ty  that  stores,  processes,  and/or  transmits  cardholder  data.     The  standard  covers  technical  and  opera0onal  components  include  in  or   connected  to  cardholder  data.    If  a  business  accepts  or  processes  payment  cards,   it  must  comply  with  the  PCI  DSS.   –  PTS  (PIN  Transac0on  Security  Requirements):   Applies  to  manufacturers  who  develop  PIN  (personal  iden0fica0on  number)  entry   terminals  used  for  payment  card  financial  transac0ons.   –  PA-­‐DSS  (Payment  Applica0on  Data  Security  Standards):   Applies  to  so_ware  developers  and  integrators  of  applica0ons  that  store,  process   or  transmit  cardholder  data  as  part  of  authoriza0on  or  sealement.     §  Acronyms –  PCI  =  Payment  Card  Industry   –  SSC  =  Security  Standards  Council   –  DSS  =  Data  Security  Standards   –  CDE  =  Cardholder  Data  Environment   –  PAN  =  Personal  Account  Number    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     7
  8. 8. Achieving PCI Compliance PCI Security Standards (continued) §  Initial Certification Process –  External  audits  or  self-­‐cer0fica0on,  based  on  company  size   –  Smaller  merchants  are  able  to  self-­‐cer0fy  through  a  Self-­‐Assessment  Ques0onnaire   (SAQ)   –  Larger  enterprises  must  u0lize  a  PCI-­‐qualified  assessor  such  as  a  QSA  (Qualified   Security  Assessor)  or  ASV  (Approved  Scanning  Vendor).   §  Ongoing Monitoring Process –  The  merchant  must  con0nually  monitor  and  update  their  system  in  order  to   maintain  compliance.       –  This  includes:   §  On-­‐going  monitoring  and  tes0ng  of  network  resources   §  Regular  reviews  of  system  logs  and  access   §  Ensuring  that  device  configura0ons  and  security  policies  are  locked  down  and  can’t  be   changed  without  authoriza0on   §  All  cri0cal  systems  have  the  most  recently-­‐released  so_ware  patches  within  one  month  to   protect  against  exploita0on  by  malicious  individuals,  devices  and  so_ware  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     8
  9. 9. Achieving PCI Compliance Customer Pain Points §  Lack of Expertise –  Many  companies  do  not  have  in-­‐house  exper0se   –  PCI  Compliance  can  be  a  confusing  and  in0mida0ng  process   §  Expense –  The  process  for  obtaining  and  maintaining  PCI-­‐compliance  is  expensive  and   burdensome.   –  PCI  Compliance  audi0ng  is  o_en  an  expensive,  manual  process   §  Liability –  Companies  that  fail  to  comply  with  the  PCI-­‐DSS  (Payment  Card  Industry,  Data   Security  Standards)  are  subject  to  fines  &  lawsuits.   –  Companies  that  are  breached  can  find  themselves  in  the  news  headlines,   significantly  impac0ng  goodwill  with  customers,  partners  and  shareholders.   §  Business Continuity –  Non-­‐compliance  can  result  in  the  customer  being  banned  from  processing  credit   cards.       –  CradlePoint’s  largest  customers  have  confirmed  that  PCI  Compliance  is  one  of  the   most  fundamental  underpinnings  of  their  business  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     9
  10. 10. Achieving PCI Compliance Achieving PCI Compliance §  Requires a System-Wide Approach –  PCI  compliance  can  only  be  obtained  by  the  merchant  .   –  PCI  auditors  analyze  the  merchant’s  en0re  system,  including  POS  devices,  network   devices,  servers,  applica0ons,  policies,  &  procedures.   –  The  PCI-­‐DSS  requires  that  the  merchant  verify  that  all  network  equipment   (including  CradlePoint  devices)  is  properly  configured  and  managed  for  compliance.   §  Router Certification –  There  is  no  specific  specifica0on  to  enable  routers  to  become  “PCI  Compliant”.   –  CradlePoint  conducts  “PCI  Penetra0on  Tes0ng”  to  ensure  that  the  routers  can  be   confidently  used  in  a  PCI-­‐Compliant  environment.   –  CradlePoint  devices  do  not  store  any  of  the  data  that  flows  through  the  device,   especially  credit  card  informa0on  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     10
  11. 11. Overview of PCI Requirements & Recommendations Achieving PCI ComplianceCradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     11
  12. 12. Achieving PCI Compliance CradlePoint Enablers § Application Guide – 80-­‐page  guide  for  IT  professionals   – Detailed  review  of  each  requirement   – CradlePoint  enablers   – CradlePoint  recommenda0ons  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     12
  13. 13. Achieving PCI Compliance PCI-DSS 2.0 Standards Goals Requirements 1)  Install and maintain a firewall configuration to protect cardholder data. Build and Maintain a 2)  Do not use vendor-supplied defaults for system passwords and other security Secure Network parameters. 3)  Protect stored cardholder data. Protect Cardholder Data 4)  Encrypt transmission of cardholder data across open, public networks. Maintain a Vulnerability 5)  Use and regularly update anti-virus software or programs. Management Program 6)  Develop and maintain secure systems and applications. 7)  Restrict access to cardholder data by business need to know. Implement Strong Access 8)  Assign a unique ID to each person with computer access. Control Measures 9)  Restrict physical access to cardholder data. Regularly Monitor and 10)  Track and monitor all access to network resources and cardholder data. Test Networks 11)  Regularly test security systems and processes. Maintain an Information 12)  Maintain a policy that addresses information security for all personnel. Security PolicyCradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     13
  14. 14. Achieving PCI Compliance Requirement  1 Install & Maintain Firewalls Descrip0on   Install  and  maintain  a  firewall  configura0on  to  protect  cardholder  data.   Goal   Build  and  maintain  a  secure  network.   Requirements   1.1      Establish  firewall  and  router  configura0on  standards.   1.2  Build  firewall  and  router  configura0ons  that  restrict  connec0ons  between   untrusted  networks  and  any  system  components  in  the  CDE.   1.3  Prohibit  direct  public  access  between  the  Internet  and  any  system  component  in   the  CDE.CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     14
  15. 15. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint  Recommenda0on   Segment the Network into Security ZonesCradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     15
  16. 16. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint  Recommenda0on   Configure the Firewall §  Stateful Packet Inspection –  SPI  is  a  firewall  that  monitors  outgoing  and  incoming  traffic  to  make  sure  that  only   valid  responses  to  outgoing  requests  are  allowed  to  pass  though  the  router.     –  Proper  configura0on  hides  your  LAN  from  unauthorized  external  aaackers,  so  that   the  router  does  not  respond  to  unsolicited  incoming  requests  on  any  port.   §  Port Forwarding Rules –  A  port  forwarding  rule  provides  a  controlled  method  of  opening  the  firewall  to   address  the  needs  of  specific  types  of  applica0ons.   –  Allows  external  traffic  to  reach  a  computer  or  device  on  the  inside  of  the  network.     §  Anti-Spoof –  “Spoofed  Addresses”  are  faked  source  addresses  used  by  a  malicious  user  to  either   hide  themselves  or  to  impersonate  someone  else.     –  Used  to  launch  a  network  aaack  without  revealing  the  true  source  of  the  aaack.   –  Used  to  gain  access  to  network  services  that  are  restricted  to  certain  addresses.   –  An0-­‐Spoof  dynamically  checks  packets  to  iden0fy  probable  spoofing  aaempts.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     16
  17. 17. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint  Recommenda0on   Configure the Firewall (continued) §  Packet Normalization –  Normalizing  packets  helps  secure  the  router  in  untrusted  environments.     –  It  does  so  by  "scrubbing“  packets  that  are  ambiguous  or  might  represent  a  break-­‐in   aaempt.     §  Static NAT Ports –  If  enabled,  the  source  port  does  not  translate  inbound  TCP  and  UDP  packets  during   NAT.     –  Some  NAT  traversal  protocols  such  as  STUN(T)  require  that  the  source  port  stay   the  same  when  traversing  the  firewall.   §  DMZ Host –  A  De-­‐Militarized  Zone    (DMZ  )  host  is  purposely  not  firewalled.   –  Enables  any    computer  on  the  internet  to  remotely  access  network  services  at  that   DMZ  IP  address.     –  Input  the  IP  Address  for  the  DMZ  device  to  ensure  that  the  IP  address  of  the   selected  device  remains  consistent.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     17
  18. 18. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint  Recommenda0on   Lock Down the Router Entry Points §  Disable UPnP –  UPnP  (Universal  Plug  and  Play)  is  a  set  of  networking  protocols  standardized  by  the   UPnP  Forum   –  Enables  clients  to  determine  network  configura0on  and  configure  the  network  to   allow  traffic  through  the  firewall  without  direct  user  interac0on.     –  UPnP  can  simplify  the  use  of  consumer  devices  and  other  applica0ons  that  require   network  configura0on,     –  UPnP  can  also  allow  unprivileged  users  to  manipulate  network  configura0on.   §  Disable WAN Pings –  When  disabled,  the  router  does  not  respond  to  ping  requests  from  external  WAN   clients.       –  This  is  o_en  used  by  hackers  to  probe  security  vulnerabili0es.   §  Use MAC Filtering –  The  MAC  Filter  allows  you  to  create  a  list  of  devices  that  have  either  exclusive   access  (white  list)  or  no  access  (black  list)  to  your  wireless  LAN.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     18
  19. 19. Build and Maintain a Secure Network Achieving PCI Compliance R-1) Install & maintain a firewall configuration to protect cardholder data. CradlePoint  Recommenda0on   Lock Down the Router Entry Points (continued) §  Use IP Filter Rules –  "Incoming"  IP  filter  rules  restricts  remote  access  to  computers  on  your  local   network.     –  "Outgoing"  IP  filter  rules  prevent  computers  on  your  local  network  from  ini0a0ng   communica0on  to  the  address  range  specified  in  the  rule.   –  This  feature  is  especially  useful  when  combined  with  port  forwarding  and/or  DMZ   to  restrict  remote  access  to  a  specified  host  or  network  range.     –  With  an  incoming  IP  filter  rule,  you  can  restrict  the  access  to  your  LAN  to  only  the   specific  computers  or  devices  authorized  to  be  on  the  network.   §  Disable Remote Administration –  This  prevents  external  users  from  accessing  the  router  administra0on  web  UI   through  the  WAN.       –  CradlePoint  recommends  using  WiPipe  Central  to  manage  the  routers,  since  it   u0lizes  a  secure  device-­‐ini0ated  protocol    that  is  less  vulnerable  to  hacking.       –  If  you  decide  that  you  do  want  to  enable  remote  admin  access,  be  sure  to   configure  it  to  require  HTTPS  on  a  non-­‐standard  port.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     19
  20. 20. Achieving PCI Compliance Requirement  2 Don’t Use Vendor-Supplied Defaults Descrip0on   Do  not  use  vendor-­‐supplied  defaults  for  system  passwords  and  other  security  parameters   Goal   Build  and  maintain  a  secure  network.   Requirements   2.1  Always  change  vendor-­‐supplied  defaults  before  installing  a  system  on  the  network,   including  but  not  limited  to  passwords,  simple  network  management  protocol   (SNMP)  community  strings,  and  elimina0on  of  unnecessary  accounts.   2.2  Develop  configura0on  standards  for  all  system  components.  Assure  that  these   standards  address  all  known  security  vulnerabili0es  and  are  consistent  with   industry-­‐accepted  system  hardening  standards.   2.3  Encrypt  all  non-­‐console  administra0ve  access  using  strong  cryptography.  Use   technologies  such  as  SSH,  VPN,  or  SSL/TLS  for  web-­‐based  management  and  other   non-­‐console  administra0ve  access.   2.4  Shared  hos0ng  providers  must  protect  each  en0ty’s  hosted  environment  and   cardholder  data.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     20
  21. 21. Achieving PCI Compliance Build and Maintain a Secure Network R-2) Do not use vendor-supplied defaults for system passwords CradlePoint  Recommenda0on   Change the Default Passwords §  CP’s Enhanced Password Protection –  For  out-­‐of-­‐box  security,  CradlePoint  products  do  not  ship  with  a  generic  default   password.       –  Each  router  has  a  unique  password  that  u0lizes  a  por0on  of  the  router’s  MAC   address.   §  PCI-DSS Still Requires Pwd Change –  PCI-­‐DSS  Requirement  2.1  requires  that  the  merchant  change  the  default  password   on  the  router.       –  Even  though  the  CradlePoint  passwords  are  unique  to  each  individual  router,   CradlePoint  recommends  that  the  customer  select  a  new  unique  password  for   each  device  that  is  only  known  to  system  administrators  with  a  need-­‐to-­‐know.     §  WiPipe Central –  Enables  password  management  from  a  centralized  loca0on,  elimina0ng  the  need   to  log  into  each  router  to  change  the  password.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     21
  22. 22. Achieving PCI Compliance Requirement  3 Protect Stored Cardholder Data Descrip0on   Protect  stored  cardholder  data   Goal   Protect  stored  cardholder  data   Requirements   3.1  Keep  cardholder  data  storage  to  a  minimum  by  implemen0ng  data  reten0on  and   disposal  policies,  procedures  and  processes.   3.2  Do  not  store  sensi0ve  authen0ca0on  data  a_er  authoriza0on  (even  if  encrypted).     3.3  Mask  PAN  when  displayed  (the  first  six  and  last  four  digits  are  the  maximum  number   of  digits  to  be  displayed).   3.4  Render  PAN  unreadable  anywhere  it  is  stored  (including  on  portable  digital  media,   backup  media,  and  in  logs).   3.5  Protect  any  keys  used  to  secure  cardholder  data  against  disclosure  and  misuse.   3.6  Fully  document  and  implement  all  key-­‐management  processes  and  procedures  for   cryptographic  keys  used  for  encryp0on  of  cardholder  data.          CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     22
  23. 23. Achieving PCI Compliance Protect Cardholder Data R-3) Protect stored cardholder data. CradlePoint  Recommenda0on   Minimize Resources within CDE Network Segment §  Network Segmentation –  Par00on  network  resources  into  individual  “Network  Segments”,  such  as:   –  Resources  on  one  network  segment  are  securely  par00oned  from  other  segments   –  Enables  a  single  router  &  WAN  to  be  used  for  mul0ple  purposes   §  Resource Assignment –  Each  network  segment  can  be  assigned  individual  network  resources,  including:   §  Ethernet  ports     §  WiFi  SSIDs     §  VLANs   –  Each  Network  Segment  can  be  configured  with  its  own   §  IP  Address  configura0on  (sta0c,  dynamic,  range)   §  Rou0ng  Mode  (NAT,  non-­‐NAT,  Public  Hotspot/Cap0ve  Portal)   §  Access  Control  (Admin  Access,  LAN  Isola0on,  etc)   §  Interfaces  (choose  from  WiFi  SSIDs,  Ethernet  Groups  and  VLANs)  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     23
  24. 24. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. Requirement  4 Encrypt Transmission of Cardholder Data Descrip0on   Encrypt  transmission  of  cardholder  data  across  open,  public  networks.   Goal   Protect  cardholder  data   Requirements   4.1      Use  strong  cryptography  and  security  protocols  (for  example,  SSL/TLS,  IPSEC,  SSH,   etc.)  to  safeguard  sensi0ve  cardholder  data  during  transmission  over  open,  public   networks.   4.2  Never  send  unprotected  PANs  by  end-­‐user  messaging  technologies  (for  example,  e-­‐ mail,  instant  messaging,  chat,  etc.).         Note:     §  The  use  of  WEP  as  a  security  control  was  prohibited  as  of  30  June  2010.      CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     24
  25. 25. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. CradlePoint  Recommenda0on   Create Secure WAN Connectivity §  Virtual Private Network (VPN) –  VPN  tunnels  are  used  to  establish  a  secure  connec0on  to  a  remote  network  over  a   public  network.     –  For  example,  VPN  tunnels  can  be  used  across  the  internet  by  an  individual  store   loca0on  to  connect  to  the  corporate  data  center  or  by  two  individual  store   loca0ons  to  func0on  as  if  connected  with  one  network.     –  The  two  networks  set  up  a  secure  connec0on  across  the  (normally)  unsecure   internet  by  assigning  VPN  encryp0on  protocols.   §  Generic Routing Encapsulation (GRE) –  GRE  tunnels  can  be  used  to  create  a  connec0on  between  two  private  networks.     –  CradlePoint  routers  support  both  GRE  and  VPN  tunnels.     –  GRE  tunnels  are  simpler  to  configure  and  more  flexible  for  different  kinds  of  packet   exchanges,  but  VPN  tunnels  are  much  more  secure.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     25
  26. 26. Achieving PCI Compliance Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks. CradlePoint  Recommenda0on   Create Secure WAN Connectivity (continued) §  Internet Protocol security (IPsec) –  CradlePoint  routers  uses  IPsec  (Internet  Protocol  security)  to  authen0cate  and   encrypt  packets  exchanged  across  the  tunnel.     –  To  set  up  a  VPN  tunnel  with  a  CradlePoint  router  on  one  end,  there  must  be   another  device  (usually  a  router)  that  also  supports  IPsec  on  the  other  end.   §  Internet Key Exchange (IKE) –  IKE  is  the  security  protocol  in  IPsec.     –  IKE  has  two  phases,  Phase  1  and  Phase  2.     –  CradlePoint  routers  have  several  different  security  protocol  op0ons  for  each   phase,  but  the  default  selec0ons  will  be  sufficient  for  most  users.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     26
  27. 27. Achieving PCI Compliance Requirement  5 Use Anti-Virus Software Descrip0on   Use  and  regularly  update  an0-­‐virus  so_ware  or  programs.   Goal   Maintain  a  vulnerability  management  program.   Requirements   5.1    Deploy  an0-­‐virus  so_ware  on  all  systems  commonly  affected  by  malicious  so_ware   (par0cularly  personal  computers  and  servers).   5.2  Ensure  that  all  an0-­‐virus  mechanisms  are  current,  ac0vely  running,  and  genera0ng   audit  logs.    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     27
  28. 28. Achieving PCI Compliance Requirement  6 Develop & Maintain Secure Systems & Apps Descrip0on   Develop  and  maintain  secure  systems  and  applica0ons.   Goal   Maintain  a  vulnerability  management  program.   Requirements   6.1      Ensure  that  all  system  components  and  so_ware  are  protected  from  known   vulnerabili0es  by  having  the  latest  vendor-­‐supplied  security  patches  installed.  Install   cri0cal  security  patches  within  one  month  of  release.   6.2  Establish  a  process  to  iden0fy  and  assign  a  risk  ranking  to  newly  discovered  security   vulnerabili0es.   6.3  Develop  so_ware  applica0ons  in  accordance  with  PCI  DSS  and  based  on  industry  best   prac0ces.   6.4  Follow  change  control  processes  &  procedures  for  all  changes  to  system  components.     6.5  Develop  applica0ons  based  on  secure  coding  guidelines.  Prevent  common  coding   vulnerabili0es  in  so_ware  development.   6.6  For  public-­‐facing  web  applica0ons,  address  new  threats  and  vulnerabili0es  on  an   ongoing  basis  and  ensure  these  applica0ons  are  protected  against  known  aaacks.    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     28
  29. 29. Achieving PCI Compliance Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications. CradlePoint  Recommenda0on   Keep Device Firmware Updated with WiPipe Central §  Rationale –  Hackers  use  security  vulnerabili0es  to  gain  privileged  access  to  systems.   –  The  PCI-­‐DSS  2.0  document  recognizes  that  providers  of  system  component     (including  network  devices)  regularly  test  for  new  vulnerabili0es.       –  Component  providers  regularly  issues  so_ware  upgrades  to  address  these  issues.   §  PCI Requirement 6.1 –  Mandates  that    all  cri0cal  systems  must  have  the  most  recently  released,   appropriate  so_ware  patches  to  protect  against  exploita0on  and  compromise  of   cardholder  data  by  malicious  individuals  and  malicious  so_ware.     –  Requires  that  cri0cal  so_ware  patches  must  be  installed  within  1  month  of  release.   §  WiPipe Central – Firmware Management –  WiPipe  Central    enables  each  device  group  to  have  a  firmware  version  selected  to  be   used  on  all  devices  in  the  group.       –  Network  administrators  can  choose  the  firmware  version  for  a  given  group  to  use  by   selec0ng  it  from  the  list.       –  The  facility  allows  the  firmware  version  to  be  downgraded  as  well  as  upgraded.     –  If  any  devices  are  upgraded,  either  accidentally  or  without  authoriza0on,  WiPipe   Central  will  automa0cally  reverse  the  upgrade.  CradlePoint  P–  x   and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     roprietary   29
  30. 30. Achieving PCI Compliance Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications. CradlePoint  Recommenda0on   Lock Down the Configuration with WiPipe Central §  Centralized Configuration Management –  Enables  group  management  of  deployed  routers   –  Group  configura0on  ensures  that  routers  are  consistently  configured   –  Enables  central  control  of  device  configura0on   §  Prevent Unauthorized Changes –  If  individual  router  configura0ons  are  accidentally  or  maliciously  changed,  WiPipe   Central  detects  and  reverses  the  change   –  Enables  administrators  to  ensure  that  router  configura0ons  are  “locked  down”.   §  Require Changes to be made through WiPipe Central –  Creates  and  audit  log  for  access  &  control  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     30
  31. 31. Achieving PCI Compliance Requirement  7 Restrict Access to Cardholder Data Descrip0on   Restrict  access  to  cardholder  data  by  business  need  to  know.   Goal   Implement  strong  access  control  measures.   Requirements   7.1    Limit  access  to  system  components  and  cardholder  data  to  only  those  individuals   whose  job  requires  such  access.     7.2  Establish  an  access  control  system  for  systems  components  with  mul0ple  users  that   restricts  access  based  on  a  user’s  need  to  know,  and  is  set  to  “deny  all”  unless   specifically  allowed.    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     31
  32. 32. Achieving PCI Compliance Requirement  8 Assign Unique IDs to Each Person w/ Access Descrip0on   Assign  a  unique  ID  to  each  person  with  computer  access.   Goal   Implement  strong  access  control  measures.   Requirements   8.1  Assign  all  users  a  unique  ID  before  allowing  them  to  access  system  components  or   cardholder  data.   8.2    In  addi0on  to  assigning  a  unique  ID,  employ  methods  to  authen0cate  all  users:   password  or  passphrase,  token  device  or  smart  card,  biometric.   8.3  Incorporate  two-­‐factor  authen0ca0on  for  remote  access  (network-­‐level  access   origina0ng  from  outside  the  network)  to  the  network  by  employees,  administrators,   and  third  par0es.   8.4  Render  all  passwords  unreadable  during  transmission  and  storage  on  all  system   components  using  strong  cryptography.   8.5  Ensure  proper  user  iden0fica0on  and  authen0ca0on  management  for  non-­‐ consumer  users  and  administrators  on  all  system  components.        CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     32
  33. 33. Achieving PCI Compliance Requirement  9 Restrict Physical Access to Cardholder Data Descrip0on   Restrict  physical  access  to  cardholder  data   Goal   Implement  strong  access  control  measures.   Requirements   9.1  Use  appropriate  facility  entry  controls  to  limit  and  monitor  physical  access  to  systems  in  the   cardholder  data  environment.   9.2  Develop  procedures  to  easily  dis0nguish  between  onsite  personnel  and  visitors,  especially  in   areas  where  cardholder  data  is  accessible.   9.3  Make  sure  all  visitors  are  authorized,  given  a  badge,  and  badge  collected  on  exit.   9.4  Use  a  visitor  log  to  maintain  a  physical  audit  trail  of  visitor  ac0vity.   9.5  Store  media  back-­‐ups  in  a  secure  loca0on,  preferably  an  off-­‐site  facility,  such  as  an  alternate   or  back-­‐up  site,  or  a  commercial  storage  facility.  Review  the  loca0on’s  security.   9.6  Physically  secure  all  media.   9.7  Maintain  strict  control  over  the  internal  or  external  distribu0on  of  any  kind  of  media.   9.8  Ensure  management  approves  any  and  all  media  that  is  moved  from  a  secured  area     9.9  Maintain  strict  control  over  the  storage  and  accessibility  of  media.   9.10  Destroy  media  when  it  is  no  longer  needed  for  business  or  legal  reasons.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     33
  34. 34. Achieving PCI Compliance Requirement  10 Regularly Monitor and Test Networks Descrip0on   Regularly  monitor  and  test  networks.   Goal   Track  and  monitor  all  access  to  network  resources  and  cardholder  data.   Requirements   10.1  Establish  a  process  for  linking  all  access  to  system  components  (especially  access   done  with  administra0ve  privileges  such  as  root)  to  each  individual  user.   10.2  Implement  automated  audit  trails  for  all  system  components  to  reconstruct  the   various  important  events  named  in  the  Requirements.   10.3  Record  audit  trail  entries  for  all  system  components  for  each  event  as  defined.   10.4  Using  0me-­‐synch  technology,  synchronize  all  cri0cal  system  clocks  &  0mes  and   ensure  that  the  following  is    implemented  for  acquiring,  distribu0ng,  &  storing  0me.   10.5  Secure  audit  trails  so  they  cannot  be  altered.   10.6  Review  logs  for  all  system  components  at  least  daily.  Log  reviews  must  include  those   servers  that  perform  security  func0ons  like  intrusion-­‐detec0on  system  (IDS)  and   authen0ca0on,  authoriza0on,  and  accoun0ng  protocol  (AAA)  servers.   10.7  Retain  audit  trail  history  for  at  least  one  year,  with  a  minimum  of  three  months   immediately  available  for  analysis  (ie,  online,  archived,  or  restorable  from  back-­‐up).    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     34
  35. 35. Achieving PCI Compliance Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data. CradlePoint  Recommenda0on   Utilize an External SysLog Server §  System Logs as an Audit Trail –  The  router  automa0cally  logs  (records)  events  of  possible  interest  in  its  internal   memory.     –  The  log  op0ons  allow  you  to  filter  the  router  logs  based  on  categories,  allowing   customiza0on  of  the  types    and  level  of  events  to  record  and  the  level  of  events  to   view.   –  System  logs  are  can  be  used  to  iden0fy     §  Unauthorized  login  aaempts   §  Unauthorized  configura0on  changes   §  Penetra0on  aaempts   §  Security  aaacks   §  Persistence Preserves the Audit Trail –  U0lize  the  WiPipe  Central  to  centrally  synchronize  and  store  the  system  logs.   –  Alterna0vely,  the  router  can  be    configured  to  communicate  with  an  external   Syslog  Server  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     35
  36. 36. Achieving PCI Compliance Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data. CradlePoint  Recommenda0on   Utilize an External Time Server §  Time Synchronization –  Configure  routers  to  communicate  with  an  external  Time  server     –  Makes  it  more  difficult  to  change  system  logs  or  hide  aaacks   –  Network  Time  Protocol  (NTP)  enables  the  router  to  synchronize  its  system  0me   with  a  remote  server  on  the  internet.       –  NTP  is  an  important  part  of  using  System  Logs  to  accurately  monitor  PCI   Compliance.   §  NTP Server Options –  pool.ntp.org   –  0me.nist.gov   –  0me-­‐windows.com  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     36
  37. 37. Achieving PCI Compliance Requirement  11 Test Security Systems and Processes Descrip0on   Regularly  test  security  systems  and  processes.   Goal   Track  and  monitor  all  access  to  network  resources  and  cardholder  data.   Requirements   11.1  Test  for  the  presence  of  wireless  access  points  and  detect  unauthorized  wireless   access  points  on  a  quarterly  basis.   11.2  Run  internal  and  external  network  vulnerability  scans  at  least  quarterly  and  a_er   any  significant  change  in  the  network  (such  as  new  system  component  installa0ons,   changes  in  network  topology,  firewall  rule  modifica0ons,  product  upgrades).   11.3  Perform  external  and  internal  penetra0on  tes0ng  at  least  once  a  year  and  a_er  any   significant  infrastructure  or  applica0on  upgrade  or  modifica0on.   11.4  Use  intrusion-­‐detec0on  systems,  and/or  intrusion-­‐preven0on  systems  to  monitor  all   traffic  at  the  perimeter  of  the  CDE  as  well  as  at  cri0cal  points  inside  of  the  CDE,  and   alert  personnel  to  suspected  compromises.     11.5  Deploy  file-­‐integrity  monitoring  tools  to  alert  personnel  to  unauthorized   modifica0on  of  cri0cal  system  files,  configura0on  files,  or  content  files;  and   configure  the  so_ware  to  perform  cri0cal  file  comparisons  at  least  weekly.    CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     37
  38. 38. Achieving PCI Compliance Requirement  12 Information Security Policy for Personnel Descrip0on   Maintain  a  policy  that  addresses  informa0on  security  for  all  personnel.   Goal   Maintain  an  informa0on  security  policy.   Requirements   12.1  Establish,  publish,  maintain,  and  disseminate  a  security  policy.   12.2  Develop  daily  opera0onal  security  procedures.   12.3  Develop  usage  policies  for  cri0cal  technologies  (for  example,  remote  access,  wireless)  and   define  proper  use  of  these  technologies.     12.4  Ensure  that  the  security  policy  and  procedures  clearly  define  informa0on  security   responsibili0es  for  all  personnel.   12.5  Assign  to  an  individual  or  team  defined  informa0on  security  management  responsibili0es:   12.6  Implement  a  formal  security  awareness  program  to  make  all  personnel  aware  of  the   importance  of  cardholder  data  security.   12.7  Screen  poten0al  personnel  prior  to  hire  to  minimize  the  risk  of  aaacks  from  internal  sources.     12.8  If  cardholder  data  is  shared  with  service  providers,  maintain  and  implement  policies  and   procedures  to  manage  service  providers.   12.9  Implement  an  incident  response  plan.  Be  prepared  to  respond  immediately  to  a  system   breach.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     38
  39. 39. Achieving PCI Compliance Summary of Recommendations §  Step  1:  Segment  the  network  into  individual  “security  zones”   §  Step  2:  Configure  the  firewall   §  Step  3:  Lock  down  the  router  entry  points   §  Step  4:  Change  the  default  passwords   §  Step  5:  Minimize  resources  within  CDE  network  segment   §  Step  6:  Create  secure  WAN  connec0vity   §  Step  7:  Keep  device  updated  with  the  latest  firmware  using  WPC   §  Step  8:  Lock  down  the  configura0on  with  WiPipe  Central   §  Step  9:  Configure  communica0on  with  an  external  SysLog  server   §  Step  10:  Configure  communica0on  with  an  external  Time  server   §  Step  11:  Monitor  PCI  Compliance  with  WiPipe  Central  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     39
  40. 40. Achieving PCI Compliance Achieving PCI Compliance §  CradlePoint Enablers for PCI Compliance –  CradlePoint  routers  provide  several  features  to  enable  compliance  with  the  PCI-­‐DSS   2.0  requirements   –  PCI  Compliance  requires  routers  to  be  properly  configured,  monitored  &  maintained.   –  WiPipe  Central’s  PCI  Compliance  Monitoring  applica0on  enables  customers  to   demonstrate  compliance  in  real-­‐0me,  not  just  for  the  quarterly  or  annual  audits.   §  CradlePoint can Help –  The  “CradlePoint  Enablers  for  a  PCI  Complaint  System”  applica0on  note  provides   details  regarding  CradlePoint  features  and  capabili0es  that  have  been  used  by  other   customers  to  help  achieve  PCI  Compliance  for  their  end-­‐to-­‐end  systems.   –  CradlePoint  professional  services  can  guide  customers  through  the  installa0on,   configura0on  and  monitoring  process   §  Proven Success –  CradlePoint  devices  are  u0lized  in  several  large-­‐scale,  PCI-­‐compliant  deployments.  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     40
  41. 41. Questions? Ken Hosac VP Business Development Rudy Cedillo Sr. Enterprise Support Engineer webinars@cradlepoint.com   www.CradlePoint.com     www.cradlepoint.com/ 4g-­‐3g-­‐network-­‐solu0ons/   www.cradlepoint.com   www.cradlepoint.com/WiPipe   case-­‐studies  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     41
  42. 42. Achieving PCI Compliance Key Solution Features for PCI Compliance § PCI  Compliance  Monitoring   § De-­‐Militarized  Zone  (DMZ)   applica0on  for  WiPipe  Central,  to   § Virtual  Server   manage  configura0on,  firmware   updates  and  monitor  usage.   § Ability  to  disable  WAN  services  (ping,   WNMP,  web-­‐based  mgmt,  etc)   § Network  Segmenta0on  (Ethernet,   SSID  and  VLAN)   § MAC  filtering   § Ethernet  ports  (4)  that  can  be   § Session  filtering  (non-­‐UDP/TCP/ individually  assigned  to  specific   ICMP)   segments   § Layer  2  Tunneling  Protocol  (L2TP)   § WiFi  SSIDs  (4)  that  can  be   § VPN  Client  with  support  for  up  to  20   individually  secured  and  assigned  to   tunnels  (product-­‐specific)   specific  segments   § IPSec   § Virtual  LAN  support  and  tagging   § GRE   (VLAN)   § WiFi  security  (WPA/WPA2  Personal/ § Stateful  Packet  Inspec0on  (SPI)     Enterprise,  AES/TKIP)   § Network  Address  Transla0on  (NAT)   § RADIUS  user  authen0ca0on  on  WiFi     § Applica0on  Level  Gateways  (ALG)   § SysLog  support   § Inbound  filtering  of  IP  addresses   § Aler0ng  CradlePoint  Proprietary  and  Confiden0al  |  ©2012  CradlePoint  Inc.  |  All  rights  reserved.  |  Informa0on  subject  to  change  without  no0ce.     42

×