Self-Defending Network Support For PCI: BRKSEC-2008

Self-Defending Network
Support for PCI
BRKSEC-2008
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2
© 2006, Cisco Systems, Inc. All rights reserved. 1

Presentation_ID.scr
Session Description
This session discusses the Payment Card Industry (PCI)

Data Security Standard, and how you use the network to
help achieve PCI Compliance.
We will cover the remote location, e-commerce sites,
main campus, data center, and the network management
for PCI. We will use the Cisco PCI Validated Architecture
Solutions as a reference.
BRKSEC-2008
Agenda
Session Objectives
Compliance and PCI Overview
Applying the Network toward PCI Compliance
Key Takeaways
Q and A
BRKSEC-2008

Presentation_ID.scr
Session Objectives
At the end of the session, you should be able to:

Understand the 12 PCI Requirements
Gain knowledge of where PCI applies within your company
Apply technologies to help achieve PCI compliance
BRKSEC-2008
PCI Defined
and Updates
BRKSEC-2008

Presentation_ID.scr
The PCI Data Security Standard
Published January 2005,

version 1.1 released
September 7, 2006
Impacts all who
Process
Transmit
Store: Cardholder data Payment Card Industry Data
Security Standard
PCI Security Standards January 2005
Council maintains the
standard and certifications
http://www.pcisecuritystandards.org
BRKSEC-2008
PCI Industry Updates

US Level 1 Merchants Deadline was September 30, 2007:
77% are compliant
364 Level 1 Merchants (38 were given September 30, 2008 extension)
US Level 2 Merchant Deadline was December 31, 2007:

62% are compliant
1011 Level 2 Merchants (302 were given December 30, 2008 extension)
Europe Merchants: 2008 deadline

Asia Merchants: 2009 deadline
US Impact of non-compliance
Level 1 merchants: $25,000–$100,000 per month fine,
and will increase over time
Level 2 merchants: $5,000–$25,000 per month fine
Source: VISA January 2008

BRKSEC-2008

Presentation_ID.scr
PCI Standards Update
New PCI Self-Assessment Questionnaires
(SAQ) release
One SAQ ¼ four SAQs to reach more merchants
PCI DSS version 1.2 coming October 2008
Two Information Supplements released April 22, 2008
11.3 Penetration testing
6.6 Web Application Firewall
List of Qualified Security Assessors (QSA) continuously
updated
List of Approved Scan Vendors (ASV) continuously
updated
BRKSEC-2008
VISA PCI Categories –

US Merchants
Category Criteria Requirement
More Than Six Million Visa/
Annual Onsite PCI Data
MasterCard/American Express/
Security Assessment
Level 1 Discover Transactions per Year
Merchants Any Merchant that Has Suffered a
Hack or an Attack that Resulted in Quarterly Network Scan
an Account Data Compromise
Level 2 One Million to Six Million Transactions Quarterly Network Scan

Merchants per Year Annual Self-Assessment
Level 3 20,000 to One Million e-commerce Quarterly Network Scan

Merchants Transactions per Year Annual Self-Assessment
Level 4 Less Than 20,000 e-commerce Quarterly Network Scan

Source:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_manage
ment/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2
BRKSEC-2008

Presentation_ID.scr
VISA PCI Categories -
Canadian Merchants
More than Six Million Visa/
MasterCard/American Express/
Security Assessment
Level 1 Discover Transactions per Year
Merchants Any Merchant that Has Suffered a
Hack or an Attack that Resulted in Quarterly Network Scan
an Account Data Compromise
Level 2 150,000 to Six Million e-commerce Quarterly Network Scan

Level 3 20,000 to 150,000 e-commerce Quarterly Network Scan

Level 4A One Million to Six Million Transactions Quarterly Network Scan

Level 4A Less than 20,000 e-commerce Quarterly Network Scan

Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm
BRKSEC-2008

Europe Merchants

Processed > 6,000,000 Visa Security Assessment
Level 1 Transactions per Year, Compromised
Merchants in the Last Year, Identified as Level 1
by Another Card Brand Quarterly Network Scan


Level 4 Less than 20,000 e-commerce Quarterly Network Scan

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp

BRKSEC-2008

Presentation_ID.scr
Latin America Merchants
High Risk Merchants with 80%
Transaction Volume (Capable of Annual Onsite PCI Data
Storing Credit Card Data) Security Assessment
Level 1 E-commerce Merchants with 80%
Merchants Transaction Volume
Quarterly Network Scan
Any Merchant that Has Suffered Hack
or an Attack Resulting in Account
Data Compromise
High Risk Merchants with Remaining
20% of Transaction Volume Quarterly Network Scan
Level 2
Merchants E-commerce Merchants
Annual Self-Assessment
with Remaining 20% of
Transaction Volume

Merchants Transactions per Year
Annual Self-Assessment
Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp

BRKSEC-2008
VISA PCI Categories –

AsiaPac Merchants

Processed > 6,000,000 Visa Security Assessment
Level 1
Merchants Transactions per Year


Level 4 Process < 20,000 e-commerce

Transactions and < One Million Quarterly Network Scan
Merchants Annual Self-Assessment
Transactions Regardless of Channel
Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml

BRKSEC-2008

Presentation_ID.scr
VISA PCI Categories - US, Europe and
Canada Service Providers
All VisaNet Processors (Member and Annual Onsite PCI Data
Level 1
Nonmember) and All Payment Security Assessment
Service
Providers Gateways
Level 2 Any Service Provider that Is Not in Annual Onsite PCI Data
Service Level 1 and Stores, Processes, or Security Assessment
Providers Transmits More than 1,000,000 Visa
Accounts/Transactions Annually Quarterly Network Scan
Any Service Provider that Is Not in Quarterly Network

Level 3
Level 1 and Stores, Processes, or Scan
Service
Providers Transmits Fewer than 1,000,000 Visa
Accounts/Transactions Annually Annual Self-Assessment
Source: VISA
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_
management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3
BRKSEC-2008
The Payment Card Industry (PCI)

Data Security Standard
1. Install and maintain a firewall configuration to
Build and protect data
Maintain a
2. Do not use vendor-supplied defaults for system
Secure Network
passwords and other security parameters
3. Protect stored data

Protect
Cardholder Data 4. Encrypt transmission of cardholder data and
sensitive information across public networks
Maintain a 5. Use and regularly update anti-virus software

Vulnerability
Management 6. Develop and maintain secure systems
Program and applications
7. Restrict access to data by business

Implement need-to-know
Strong Access
8. Assign a unique ID to each person with
Control
computer access
Measures
9. Restrict physical access to cardholder data
Regularly 10. Track and monitor all access to network

Monitor and Test resources and cardholder data
Networks 11. Regularly test security systems and processes
Maintain an
Information 12. Maintain a policy that addresses
Security Policy information security
BRKSEC-2008

Presentation_ID.scr
Applying Self-
Defending Network
to PCI
BRKSEC-2008
Cisco PCI Validated Architectures

Cisco Validated Design includes:
Recommended architectures for networks, payment data at rest and data in-transit
Testing in a simulated retail enterprise which include POS terminals, application
servers, wireless devices, Internet connection and security systems
Configuration, monitoring, and authentication management systems
Architectural design guidance and audit review provided by PCI audit and
remediation partners
Validated Design
Small Retail Store PCI Audit Partner:
Retail Solution Partners:
BRKSEC-2008

Presentation_ID.scr
PCI Solution for Retail
End-to-End Architecture
VPN
Retail Store Data Center Internet Edge
WAN Adaptive
Aggregation Security Edge
Cisco Integrated
Store WAN Routers Appliance Routers
Services Router WAN
Internet
VPN
VPN
Cisco
Catalyst Core
Switch Cisco Aironet®
Cisco Catalyst®
Wireless LAN Cisco
Switches
Access Point Catalyst
Switches DMZ
WEB
Application
Service Firewall
Aggregation VPN
Cisco Catalyst Switches
with Service Modules WEB Servers
Server Access Storage Remote

MDS 9000
SAN Switches
Authentication
POS Teleworkers
Transaction Customers
Monitoring Partners
Disk Arrays
Key
Security System Management
Management
POS POS Desktop PCs Payment Mobile Network Tape Storage

Database
Server Electronic and Laptops Devices Payments Management Servers
Cash
Register Network
Services
BRKSEC-2008
Data Center Architecture

Overview
Data Center
WAN Routers WAN
Aggregation
Security services and QoS limit WAN Store WAN Routers
traffic in from business network
If the WAN connects to a public
Core Cisco Catalyst
network, Virtual Private Network Switches
encryption is required
IPSec tunnels encrypt
traffic to store routers Service Cisco Catalyst
Aggregation Switches with
Core Switches Service Modules
High-speed switching and

segmentation between the Server Access Storage
other layers MDS 9000
SAN Switches
Service Aggregation Switches Authentication
POS
Transaction
Application services include Monitoring
Disk Arrays
quality of service, content Key
Security System Management
filtering, and load balancing Management
Security services include Network Tape Storage

Management Database
Servers
access control, firewall,
Network
intrusion prevention Services
BRKSEC-2008

Presentation_ID.scr
Internet
PCI Solution
Store Backup
Internet Edge Customers,
e-Commerce
Network Teleworker
Partners,
Edge Routers Employees
Access Lists limit the traffic allowed Internet Edge

in from the internet
Edge
IPSec and secure web traffic is Routers
allowed in from the Internet

Outside
Service Aggregation Switches
Service
Cisco
Application services include quality Aggregation
Catalyst
Cisco Catalyst Switches
of service, content filtering, and Switches with
load balancing Service Modules
Security services include access DMZ

Cisco VPN
control, firewall, intrusion prevention Catalyst
Switches Adaptive
Security
De-Militarized Zone (DMZ) Appliances
ACE XML
Creates a limited access zone Gateway
Connects web servers and

External Web
e-commerce application servers Web Application
Servers Server
Inside
Virtual Private Network (VPN)
Connects IPSec tunnels from Data Center Core
employee, partners or store routers Cisco Catalyst Switches
BRKSEC-2008
PCI Solution for Retail

Store Components
Intelligent Services Router
Retail Store
Security services limit the traffic
Cisco Intelligent WAN
Services Router allowed in and out of the store network
Routing, QoS and Filtering of business
data flows
Cisco Catalyst Cisco Aironet Wireless Cisco Catalyst LAN Switches

LAN Switch LAN Access Point
Segmentation, Quality of Service
Aironet Wireless Access Points
Connect wireless clients to the
store network
Security and Identity services
enforce central policy for encryption
and authentication
Business Servers and Hosts
Cisco Security Agent enforces
file access and host FW policy
RSA file and database security
POS Server POS Desktop PCs Payment Mobile Mobile management encrypt stored data
Electronic and Laptops Devices Payments POS and
Cash Pricing
Register
RSA Key manager enforces key
management policy
BRKSEC-2008

Presentation_ID.scr
PCI Solution: Remote Location
Small Store
Wireless Security
Controllers Manager
MARS Centralized
Management
ACS Servers
Alternate WAN WCS

Primary WAN
Connection Connection
Cisco Integrated Services Router

Cisco IOS® Security + Ethernet Switch
Cisco 802.11AG
Mobile WLAN Access Point
POS
Inventory
Management
PoS Store
VLAN/ CSA Worker PC
WVLAN POS Cash
Register POS Server Data VLAN/
WVLAN
BRKSEC-2008

Medium Store
Security
Manager
MARS Centralized
Alternate WAN Primary WAN Management
Connection Connection Servers
ACS
Cisco ISR Cisco ISR WCS

IOS Security IOS Security
+Wireless LAN
Cisco Catalyst Switches Controller
Power over Ethernet
and Security Management
VLAN
Cisco 802.11a/b/g
WLAN Access Points
Mobile POS Store

Worker PC
POS
PoS Inventory
VLAN/ CSA POS Server Data VLAN Management
WVLAN WVLAN
Personal Shopper/PDA for Partner Device for

Enhanced Customer Service Inventory Management
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Vendor/Guest WVLAN 24

Presentation_ID.scr
Large Store
Security
Manager
Alternate WAN Primary WAN MARS Centralized

Connection Connection Management
ACS Servers
Cisco ISRs
IOS Security
Wireless WCS
Controllers
Cisco Catalyst
Management Switches
Cisco 802.11a/b/g VLAN Distribution
WLAN Access Points and Access
Store
Data VLAN
Worker PC
and WVLAN
Inventory
Mobile POS Management
PoS POS
VLAN/
WVLAN CSA POS Server
Personal Shopper/ PDA Vendor Device for
Customer Service Inventory Management
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Vendor/Guest WVLAN 25
Network Environment Blue Print
Remote Location Internet Main Office Network Management Center

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
7300 ASA
ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch
Store WAP Credit Card

Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008

Presentation_ID.scr
Cisco Security Manager (CSM)
Topology-Centric View
BRKSEC-2008
PCI Requirement 1
Install and Maintain a Firewall Configuration
to Protect Data
Configuration standards, documentation
Segment card holder data from all other data
FW to public connections (Inbound and Outbound)
Wireless
Personal Firewall
BRKSEC-2008

Presentation_ID.scr
Requirement 1: Install and Maintain a
Firewall Configuration to Protect Data

Edge
POS VLAN
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Data VLAN
Wireless CSA VLAN
Device
E-commerce CSA
Data Center
BRKSEC-2008
For Your
CSM Firewall Configuration Reference
BRKSEC-2008

Presentation_ID.scr
For Your
CSM Global Firewall Configuration Reference
BRKSEC-2008
ASA: Inspection Rules
BRKSEC-2008

Presentation_ID.scr
Network Compliance Manager (NCM)
Requirement 1 Status
BRKSEC-2008
PCI Requirement 2
Do Not Use Vendor-Supplied Defaults for System
Passwords and Other Security Parameters
Change vendor supplied defaults
Wireless: Change wireless vendor defaults, disable
SSID broadcasts, use WPA/WPA2
Configuration standards for all system components
Implement one primary function per server
Disable all unnecessary and insecure services
and protocols
BRKSEC-2008

Presentation_ID.scr
Requirement 2: Do Not Use Vendor-
Supplied Defaults for System Settings

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
PCI Requirement 2.1 for Wireless

Verify that the Cisco Controller is, by default, configured
for administrative restriction and AAA authentication for
administrative users
Verify that no default SSID is enabled on the WLC
Disable/remove default SNMP strings of “public/private”
Create new community strings
Verify that default community strings are no longer accessible
Configure administrative user either via initial controller setup
script or via CLI
Configure wireless system for WPA authentication
Disable SSID Broadcast
BRKSEC-2008

Presentation_ID.scr
For Your
Cisco Wireless Configuration Reference
BRKSEC-2008
PCI Requirement 3
Protect Stored Data
Keep cardholder data storage to a minimum
Do not store the full contents of any track from the magnetic
stripe (also called full track, track, track1, track 2 and
magnetic stripe data), card-validation code or value, PIN
Mask PAN when displayed, and render it unreadable when
stored (hashed indexes, truncation, index tokens and pads,
strong cryptography), disk encryption
Document and implement key management processes
BRKSEC-2008

Presentation_ID.scr
Requirement 3: Protect Stored Data

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
Protect Stored Data: From What?
Cisco Security Agent (CSA) protects from:

Copying cardholder information to removable media (USB
sticks, CD ROMs, etc.)
Copying cardholder information to different file formats
Printing cardholder information
Saving information to a local machine
Plus typical worm/virus protection (think e-commerce)
BRKSEC-2008

Presentation_ID.scr
CSA Information For Your
Protection Creation Reference
BRKSEC-2008
For Your
CSA Action Rule Reference
BRKSEC-2008

Presentation_ID.scr
PCI Requirement 4
Encrypt Transmission of Cardholder Data Across Open,
Public Networks
Use SSL/TLS or IPSec, WPA for wireless
If using WEP:
Use with a minimum 104-bit encryption key and 24 bit-
initialization value
Use only in conjunction with WPA/WPA2, VPN or SSL/TLS
Rotate shared WEP keys quarterly (or automatically)
Restrict access based on MAC address
Never send unencrypted PANs

by e-mail
BRKSEC-2008
Requirement 4: Encrypt Transmission of

Cardholder Data Across Public Networks

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008

Presentation_ID.scr
GET VPN: Tunnel-less VPNs
A New Security Model
IPSec Point-to-Point Tunnels Tunnelless VPN
WAN
Multicast
Scalability—an issue (N^2 problem) Data is encrypted without need for tunnel
Overlay routing overlay—scalable any-to-any
Any-to-any instant connectivity cannot be Routing/multicast/QoS integration
done to scale is optimal—native routing
Limited advanced QoS Encryption can be managed by either
subscribers or service providers
Multicast replication inefficient
BRKSEC-2008
Customized, per-application encryption
IronPort: PCI Compliance over Email

Automatic Detection and Encryption of Credit Card Info
Comprehensive Scanning for Cardholder Info
Integrated Encryption and Remediation
Auditable Reporting
“IronPort meets PCI
compliance requirements
Internet in an easy to administer,
Users Outbound Mail IronPort Email Security Appliance transparent manner.”
—Brian Burke, Director,
Secure Content, IDC
Comprehensive Detection:
• Credit Card Smart Identifier
“IronPort has provided
customers with an easy
• Preloaded PCI Lexicons Dictionary
to deploy, use, and
• Embedded Attachment Scanning
manage PCI compliance
Integrated Remediation: solution for email.”
• Universal Message Encryption —Barry Johnson, Director,
• Quarantine, Archive Capabilities Risk Mitigation, IGXGlobal
• Notifications
BRKSEC-2008 • Reporting

Presentation_ID.scr
For Your
NCM Requirement 4 Status Reference
BRKSEC-2008
For Your
Cisco Wireless Configuration Reference
BRKSEC-2008

Presentation_ID.scr
PCI Requirement 5
Use and Regularly Update Anti-Virus Software
or Programs
Deploy anti-virus software on all systems commonly affected
by viruses
AV programs capable of detecting, removing, and protecting
against all forms of malicious software, including spyware
and adware
Ensure that all AV mechanisms are current, actively running,
and capable of generating audit logs
BRKSEC-2008
Requirement 5: Use and Regularly

Update Anti-Virus Software

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008

Presentation_ID.scr
For Your
NAC Manager Reference
BRKSEC-2008
For Your
Adding NAC A/V Rule Reference
BRKSEC-2008

Presentation_ID.scr
For Your
NAC Rule List Reference
BRKSEC-2008
NAC A/V Update
BRKSEC-2008

Presentation_ID.scr
IronPort A/V
Industry Leading Defense in Depth Solution
Preventive Defense + Reactive Defenses
Virus Outbreak Filters + Anti-Virus Signatures
IronPort
McAfee Sophos
Virus
Anti-Virus Anti-Virus
Outbreak
Signatures Signatures
Filters
Ease of Deployment and Zero Management

Automatic Updates
Email Security: Highest Virus Transmission Medium
BRKSEC-2008
PCI Requirement 6
Develop and Maintain Secure Systems and Applications
Systems and software have latest vendor-supplied security
patches installed; install relevant security patches within one
month of release
Establish process to identify new security vulnerabilities (subscribe
to alert services, etc.)
Develop SW applications based on industry best practices and
incorporate security throughout SW development lifecycle
Develop web application based on secure coding guidelines such
as the Open Web Application Security Project
Web-facing applications are protected against known attacks
by installing an application layer firewall in front of web-facing
applications, or review application code by a specialized
application security organizations
BRKSEC-2008

Presentation_ID.scr
Requirement 6: Develop and Maintain
Secure Systems and Applications

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
For Your
OWASP’s 2007 Top Ten Reference
BRKSEC-2008

Presentation_ID.scr
Cisco Application Control Engine (ACE)
XML Gateway
AXG in Action: Blocking XSS Attacks
1. Define hosts to protect
2. Define policies per host
We are going to validate

GET and POST parameters
BRKSEC-2008

1. Define acceptable range for each GET or POST query parameter
2. Attack detected and blocked
BRKSEC-2008

Presentation_ID.scr
1. Alternatively, use a blacklist approach using
Cisco-verified signatures
BRKSEC-2008
PCI Requirement 7
Restrict Access to Cardholder Data
by Business Need-to-Know
Limit access to computing resources and cardholder
information only to those individuals whose job requires
such access
Establish a mechanism for systems with multiple users that
restricts access based on a user’s need to know and is set
to “deny all” unless specifically allowed
BRKSEC-2008

Presentation_ID.scr
Requirement 7: Restrict Access to Data
by Business Need-to-Know

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
For Your
CSA Action Rule Reference
BRKSEC-2008

Presentation_ID.scr
When a User Attempts to For Your
Save a Change… Reference
BRKSEC-2008
For Your
CSA Manager Event Log Reference
BRKSEC-2008

Presentation_ID.scr
PCI Requirement 8
Assign a Unique ID to Each Person
with Computer Access
Identify all users with a unique user name before allowing
access to system components or cardholder data
In addition, employ one method of authentication
(password, token devices [SecureID, certificates
or public key], biometrics)
Implement two-factor authentication
Encrypt all passwords during transmission and storage
BRKSEC-2008
Requirement 8: Assign a Unique ID to

Each Person with Computer Access

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008

Presentation_ID.scr
Cisco Secure Access Control For Your
Server (ACS) Reference
Administration Accounts
BRKSEC-2008
For Your
Cisco ACS Reference
Only Allow HTTPS Connections
BRKSEC-2008

Presentation_ID.scr
For Your
Cisco ACS Reference
Idle Timeouts and Failed Attempts
BRKSEC-2008
For Your
Cisco ACS Reference
Map to Active Directory
BRKSEC-2008

Presentation_ID.scr
PCI Requirement 9
Restrict Physical Access to Cardholder Data
Facility entry controls and monitor physical access to systems
that store, process or transmit cardholder data
Cameras to monitor sensitive areas
Restrict physical access to network jacks, wireless access points,
gateways, and handheld devices
Distinguish between employees and visitors

Visitor log in, physical token, authorization before entering area
Physically secure card holder data media
Destroy media when it is no longer needed
BRKSEC-2008
PCI Requirement 10
Track and Monitor All Access to Network Resources
and Cardholder Data
Implement automated audit trails
Record audit trail entries
Secure audit trails so they cannot be altered
Review logs for all system components
at least daily
Destroy media when it is no longer needed
Retain audit trail history for at least
one year, with a minimum of three
months online availability
BRKSEC-2008

Presentation_ID.scr
Requirement 10: Track and Monitor All
Access to Network and Cardholder Data

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
CS-MARS: PCI DSS Requirement 10

Critical System Access Monitoring
PCI DSS Requirement 10: “Is

Administrator Access to the End
Systems Monitored?”
BRKSEC-2008

Presentation_ID.scr
For Your
CS-MARS PCI Reports/Reporting Reference
PCI Reports Group
Detailed Monitoring and

Reporting for PCI
Requirements
Comprehensive PCI Reports
BRKSEC-2008
For Your
CS-MARS for PCI Reporting Reference
Comprehensive and Detailed Reports and Reporting

PCI Reports Group
BRKSEC-2008

Presentation_ID.scr
For Your
BRKSEC-2008
PCI Requirement 11
Regularly Test Security Systems and Processes
Use a wireless analyzer at least quarterly to identify all
wireless devices in use
Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network
Perform penetration testing at least once a year and after
any significant upgrade or modification
Use NIDS/IPS, HIDS/HIPS
Deploy file integrity monitoring software to perform critical
file comparisons at least weekly
BRKSEC-2008

Presentation_ID.scr
Requirement 11: Regularly Test Security
Systems and Processes

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco
IPS
Catalyst ISR 6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008
Cisco ASA 5500 Series and IPS Network

Environment Blue Print for PCI

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register
NCM/CAS
ASA
7200/
ASA 7300 ASA CS-MARS
WAP IPS
WAN
Cisco
Catalyst ISR ASA
6500 WAP
Switch ASA CSA
Switch
Store WAP IPS Credit Card

Worker PC Storage
Wireless CSA
Device
E-commerce CSA
Data Center
ASA IPS, Cisco IOS IPS, or IPS 4200, ASA-IPS IPS 4200 or
ISR AIM IPS or IDSM-2 ASA-IPS
BRKSEC-2008

Presentation_ID.scr
CS-MARS: PCI DSS Requirement 11
Wireless Access Detection
PCI DSS Requirement 11: “Is the

Wireless Network Being Monitored
and Are New Wireless Devices
Identified?”
Cisco Wireless Controller
BRKSEC-2008
For Your
Wireless Controller Configuration Reference
Scan for and Detect Rogue APs and Wireless Devices
Untrusted AP Policy
Rogue Location Discovery Protocol………………………Disabled
RLDP Action ……………………………………...Alarm Only
Rogue APs
Rogues AP advertising my SSID ………………….Alarm Only
Detect and report Ad-Hoc Networks ………………Enabled
BRKSEC-2008

Presentation_ID.scr
Cisco Security Manager
IPS Device-Centric Signature View
BRKSEC-2008
Cisco Security Manager

Policy-Centric Signature View
BRKSEC-2008

Presentation_ID.scr
Cisco Security Agent (CSA)
PCI Rule Modules
BRKSEC-2008
CSA PCI Requirement 11 Modules
BRKSEC-2008

Presentation_ID.scr
CSA PCI Module Drill-Down
BRKSEC-2008
NCM Requirement 11 Status
BRKSEC-2008

Presentation_ID.scr
PCI Requirement 12
Maintain a Policy that Addresses Information Security
for Employees and Contractors
Establish, publish, maintain, and disseminate a security policy
Develop usage policies for critical employee-facing technologies
Implement a security awareness program
Implement an incident response plan
If cardholder data is shared with service providers, the SP must
adhere to the PCI DSS requirements
BRKSEC-2008
Requirement 12: Maintain a Policy that

Addresses Information Security

Edge
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Wireless CSA
Device
E-commerce CSA
Data Center
BRKSEC-2008

Presentation_ID.scr
CSM Workflow
“Enable Different Management Teams to Work Together”
What Is It?
Structured process for change Security
management that complements Operations Create/ Review/ Approve/
your operational environment Policy Edit Policy Submit Commit
Definition
Undo
Example
Who can set policies
Generate/ Approve
Who can approve them Policy Deployment Submit Job
Deploy
Job
Network
Who can approve deployment Operations
and when Policy Rollback
Deployment
Who can deploy them
Firewall, VPN, and IPS Services
Benefit
Provides scope of control
BRKSEC-2008
CSM Role-Based Access Control

Cisco IOS
Software
What Is It?
Authenticates administrator’s
access to management system
Determines who has access Cisco Security Manager Cisco PIX®
to specific devices and Firewall and
Cisco ASA
policy functions
Example
Verifies administrator and AAA
associate administrators to
specific roles as to who can Remote
do what Cisco Secure ACS
Access
Benefit
Enables delegation of
administrator tasks to Home
Office
multiple operators
Provides appropriate separation
of ownership and controls
BRKSEC-2008

Presentation_ID.scr
For Your
BRKSEC-2008
Cisco Solution for PCI

Edge
9999 Cisco
Security 999 9999
999 999 Agent (CSA) ACS Cisco
999
CSA Security
POS POS Server
Terminal 999 NAC
Management
IronPort 9999
999 ASA 5500
9999 9
NCM/CAS
99 7300
9999 Router ASA ASA CS-MARS
WAP
999 99 9999
Cisco
WAN
IPS 999
Catalyst ISR
6500 9999
Switch
9999 9999 Switch
WAP
9 999 9 CSA
Store
999 AXG 9999 999
9 AXG Credit Card
Worker PC
99
Wireless 9CSA
Storage
999
CSA
Device
999
E-commerce Data Center
Requirement 1 Requirement 4 Requirement 7 Requirement 10
BRKSEC-2008

Presentation_ID.scr
PCI Solution Mapping
Iron ACE
PCI ISR ASA CSA MARS WLAN IPS NAC 6500
Port
CSM NCM
XML
ACS
1 9 9 9 9 9 n/a n/a 9 n/a 9 9 n/a n/a

2 9 9 n/a 9 9 n/a n/a n/a n/a 9 9 n/a n/a
3 n/a n/a 9 9 n/a n/a n/a n/a n/a n/a n/a n/a n/a
4 9 9 n/a 9 9 n/a n/a 9 9 9 9 n/a n/a
5 9 9 9 9 n/a n/a 9 n/a 9 n/a n/a n/a n/a
6 9 n/a 9 9 n/a n/a 9 n/a 9 n/a 9 9 n/a
7 9 9 9 9 n/a n/a 9 9 n/a 9 9 n/a 9
8 9 9 9 9 n/a n/a n/a n/a n/a 9 9 n/a 9
9 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a
10 9 9 9 9 9 9 n/a 9 n/a 9 9 n/a 9
11 9 9 9 9 9 9 n/a 9 n/a 9 9 n/a n/a
12 9 9 9 9 9 9 9 9 9 9 9 9 9
BRKSEC-2008
Cisco PCI Services
BRKSEC-2008

Presentation_ID.scr
Services from Cisco and
Cisco Security Specialized Partners
Supporting your efforts to achieve compliance
Identify and remediate gaps in your current network environment relative
to the PCI Data Security Standard
Gap analysis and remediation plan
Design and implementation
Supporting your efforts to stay compliant

Asset monitoring and support for configuration and change management
Quarterly security gap analysis
Periodic reporting of PCI-critical device status
*PCI compliance service capabilities may vary by region
BRKSEC-2008
Gap Analysis and For Your

Reference
Remediation Plan
Identifies Gaps in Your Network
Components and Systems, Policies,
and Processes
PCI Analysis Toolset
Collects data about devices and configurations (Cisco
and third party)
Analyzes your network for gaps relative to PCI Data
Security Standard requirements
Cisco engineer creates a tailored remediation plan
that includes a prioritized set of actions for closing
compliance gaps
BRKSEC-2008

Presentation_ID.scr
For Your
Reference
Design and Implementation
Best Practices for Implementing the
Remediation Plan Recommendations
Security Policy Definition
Develop or refine your company’s high-level goals,
procedures, rules, and requirements for securing
its information assets
Design Review, if necessary
Provide design review if the PCI gap analysis and
remediation plan suggest it
Implementation
Implement your solution on time and on budget by
following a thorough, detailed implementation
process based on best practices
Realize business and technical goals by installing,
configuring, and integrating new system
components in accordance with remediation plan
recommendations
BRKSEC-2008
Asset Monitoring and Support for For Your

Reference
Configuration and Change Management
Asset Monitoring
Monitor and manage devices critical to your
PCI-compliant network in real time 24 hours a day,
365 days a year
Identify anomalies, events, or trends that might
adversely affect your network security
Provide consolidated status reports that you can
use with your stakeholders and third parties such
as auditors
Configuration Management Support
Improve operational efficiency by maintaining an
accurate, reliable system configuration database
and managing configuration changes through an
orderly, effective process
Change Management Support
Reduce operating costs and limit change-related
incidents with a consistent and efficient change
management process
BRKSEC-2008

Presentation_ID.scr
Quarterly Incremental For Your
Reference
Security Gap Analysis
Assess for Changes that Might Affect Compliance
Provide Improvement Recommendations and

Remediation Services as Needed
BRKSEC-2008
Summary
BRKSEC-2008

Presentation_ID.scr
Summary
Key Take Aways
PCI is moving rapidly to global importance
PCI Compliance encompasses Security Best Practices
Work closely with Approved Scan Vendor and Qualified
Security Assessor to understand expectations
Use Cisco’s PCI Validated Architectures as a guide to ease
design and implementation
BRKSEC-2008
More Information
Cisco Compliance information

http://www.cisco.com/go/compliance
http://www.cisco.com/go/retail
VISA Cardholder Information Security Program

http://usa.visa.com/merchants/risk_management/cisp.html
MasterCard PCI Merchant Education

http://www.mastercard.com/us/sdp/education/pci%20merchant
%20education%20program.html
PCI Security Standards Council

https://www.pcisecuritystandards.org/
BRKSEC-2008

Presentation_ID.scr
Relevant Security Sessions
BRKSEC-2004 Monitoring and Mitigating Threats
Inside the Perimeter: Six Steps to Improving Your
BRKSEC-2006
Security Monitoring
BRKSEC-2007 Deploying Cisco IOS Security
BRKSEC-2011 Deploying Site-to-Site IPSec VPNs
BRKSEC-2012 Deploying Dynamic Multipoint VPNs
BRKSEC-2020 Firewall Design and Deployment
BRKSEC-2030 Deploying Network-Based Intrusion Prevention Systems
BRKSEC-2031 Understanding Host-Based Threat Mitigation Techniques
BRKSEC-2041 Deploying Cisco Network Admission Control Appliance
BRKSEC-2052 Secure Messaging
BRKSEC-4012 Advanced IPSec with GET VPN
BRKSEC-2008
Q and A
BRKSEC-2008

Presentation_ID.scr
Recommended Reading
Continue your Cisco Live

learning experience with further
reading from Cisco Press®
Check the Recommended
Reading flyer for suggested
books
Available Onsite at the Cisco Company Store

BRKSEC-2008
Complete Your Online

Session Evaluation
Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily. your Cisco Live virtual
account for access to
Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com.
BRKSEC-2008

Presentation_ID.scr
BRKSEC-2008

Presentation_ID.scr

Self-Defending Network Support For PCI: BRKSEC-2008

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Self-Defending Network Support For PCI: BRKSEC-2008

Uploaded by

Copyright:

Available Formats

Self-Defending Network

Support for PCI

© 2006, Cisco Systems, Inc. All rights reserved. 1

This session discusses the Payment Card Industry (PCI)

© 2006, Cisco Systems, Inc. All rights reserved. 2

At the end of the session, you should be able to:

© 2006, Cisco Systems, Inc. All rights reserved. 3

 Published January 2005,

PCI Industry Updates

 US Level 2 Merchant Deadline was December 31, 2007:

 Europe Merchants: 2008 deadline

Source: VISA January 2008

© 2006, Cisco Systems, Inc. All rights reserved. 4

VISA PCI Categories –

Level 2 One Million to Six Million Transactions Quarterly Network Scan

Level 3 20,000 to One Million e-commerce Quarterly Network Scan

Level 4 Less Than 20,000 e-commerce Quarterly Network Scan

© 2006, Cisco Systems, Inc. All rights reserved. 5

Level 2 150,000 to Six Million e-commerce Quarterly Network Scan

Level 3 20,000 to 150,000 e-commerce Quarterly Network Scan

Level 4A One Million to Six Million Transactions Quarterly Network Scan

Level 4A Less than 20,000 e-commerce Quarterly Network Scan

VISA PCI Categories -

Annual Onsite PCI Data

Level 2 One Million to Six Million Transactions Quarterly Network Scan

Level 3 20,000 to One Million e-commerce Quarterly Network Scan

Level 4 Less than 20,000 e-commerce Quarterly Network Scan

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp

© 2006, Cisco Systems, Inc. All rights reserved. 6

Level 3 20,000 to One Million e-commerce Quarterly Network Scan

Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp

VISA PCI Categories –

Annual Onsite PCI Data

Level 2 One Million to Six Million Transactions Quarterly Network Scan

Level 3 20,000 to One Million e-commerce Quarterly Network Scan

Level 4 Process < 20,000 e-commerce

Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml

© 2006, Cisco Systems, Inc. All rights reserved. 7

Any Service Provider that Is Not in Quarterly Network

The Payment Card Industry (PCI)

3. Protect stored data

Maintain a 5. Use and regularly update anti-virus software

7. Restrict access to data by business

Regularly 10. Track and monitor all access to network

© 2006, Cisco Systems, Inc. All rights reserved. 8

Cisco PCI Validated Architectures

Retail Solution Partners:

© 2006, Cisco Systems, Inc. All rights reserved. 9

Server Access Storage Remote

POS POS Desktop PCs Payment Mobile Network Tape Storage

Data Center Architecture

 Core Switches Service Modules

High-speed switching and

Security services include Network Tape Storage

© 2006, Cisco Systems, Inc. All rights reserved. 10

Access Lists limit the traffic allowed Internet Edge

allowed in from the Internet

Security services include access DMZ

Connects web servers and

PCI Solution for Retail

Cisco Catalyst Cisco Aironet Wireless  Cisco Catalyst LAN Switches

© 2006, Cisco Systems, Inc. All rights reserved. 11

Published January 2005,

US Level 2 Merchant Deadline was December 31, 2007:

Europe Merchants: 2008 deadline

Core Switches Service Modules

Cisco Catalyst Cisco Aironet Wireless Cisco Catalyst LAN Switches

Cisco Security Agent (CSA) protects from:

Plus typical worm/virus protection (think e-commerce)

Never send unencrypted PANs

Ease of Deployment and Zero Management