ed koehler – director – ww dse distinguished engineer
Post on 05-Jan-2016
45 Views
Preview:
DESCRIPTION
TRANSCRIPT
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF
May 14th-16th , 2014 І Singapore
#AvayaATF© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya.
Designing and Implementing a PCI-DSS Compliant Network using ‘Stealth’ Networks with Avaya Fabric ConnectEd Koehler – Director – WW DSEDistinguished Engineer
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 2
Privacy in a Virtualized World
Network and Service Virtualization have transformed the IT industry Cloud Services Software Defined Networking
Security and privacy concerns are being expressed by many risk and security analysts
Regulatory compliance in a virtualized environment can be a difficult bar to reach
Examples are, PCI Compliance, HIPAA, Process flow and control (SCADA) environments, Video Surveillance
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 3
The Definition of a “Stealth” Network
Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics
The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite
Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry
“Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud L2 Stealth
A non-IP addressed L2 VSN environment L3 Stealth
A L3 VSN IP VPN environment
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 4
Use Case Requirements for “Stealth” Networks
Networks that require isolation and security PCI compliance HIPAA compliance Financial Exchanges Video Surveillance (Unicast or Multicast) SCADA control networks
Networks that require Services Separation Multicast - particularly video surveillance Bonjour SCADA
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 5
PCI DSS Compliance RequirementsSee https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor- supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12.Maintain a policy that addresses information security for employees and contractors
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 6
A Few Words on PCI DSS v 3.0…
Over 100 new controls defined!!! Many are further clarifications on v 2.0
Main impacting changes Inventory of all systems within Card Holder Data Environment (CDE) Documented Card Holder data flows within CDE Detailed penetration testing requirements
Concerns over ‘weak’ segmentation Further detail on the role & obligations of third parties and service
providers Full network and data flow diagrams Penetration testing that ‘matches’ CDE as is deployed Incorporation of ‘business as usual’ PCI compliant processes and
policies Change management and audit – both technical and organizational https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 7
PCI-DSS & PA-DSS
PCI-DSS deals with the whole end to end system implementation as it is deployed.
PA-DSS (Payment Application Security Standard) defines what a compliant application must support as it is designed.
PA-DSS is derived from PCI-DSS, defines handling of: Magnetic Stripe data Card Verification Codes & Values
CAV2,CID,CVC2,CVV2 PIN’s & PIN Blocks
PA-DSS compliance applies to ‘off the shelf’ payment applications Merchant or SP’s MUST certify ‘in-house’ applications!
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 8
About Network Segmentation…
While not strictly required for compliance, it is strongly recommended!
Network Segmentation can reduce: The scope of the PCI-DSS assessment The cost of the PCI-DSS assessment The cost and difficulty in maintaining systems compliance Major benefits of overall risk reduction in the systems model
All of this can be realized IF the network segmentation is secure and properly designed!
Proper design leads to consistency and modularity Allows for the streamlining of compliance by the use of sampling
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 9
What version 3.0 has to say about segmentation and CDE (Card Holder Data Environments)
CDE includes all people, processes and technology Validation on ‘where’ Card Holder Data exists
Trace processes and systems Develop flow diagrams of interacting systems & CHD
Develop documented penetration testing specific to the CDE ‘Hack Attack’ methodologies Ongoing evaluation of threats/vulnerabilities/risk
The more technologies involved in CDE the more penetration testing required! Fabric Connect used end to end eliminates most if not all other network technologies
Fabric Connect (IEEE 802.1aq) Can significantly reduce ACL requirements and enhance data flow validation!
Firewalls/IDS Servers/Storage and POS Authentication -> Identity Engines! Management applications!* * Important consideration to ‘lock down’ the
mgmnt. environment. If it manages a system in the CDE. It is part of the CDE!
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 10
Identity Engines & Fabric ConnectSupport for PCI Compliance – includes v 3.0 requirments!
There is no PCI ‘product’. Reports must be submitted to prove compliance. Identity aware networking systems can play a key role as one of the PCI
Enforcement Tools to ensure that the PCI audits will prove successful. Payment Card data should be segmented and access control should be used to
ensure only authorized resources have access to the Payment Card Data Network.
Control Objectives PCI DSS RequirementsBuild and Maintain a Secure Network
1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
5. Use and regularly update anti-virus software on all systems commonly affected by malware6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes
Maintain an Information Security Policy 12. Maintain a policy that addresses information security
PCI Standards PCI Enforcement Tools PCI Validation Audit PCI Audit Report
(*) Supported by Identity Engines
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 11
Identity Management and the ‘Series of Gates’ Security Concept
EndUser
IdentityBroker(IDE)
Fabric Connect NetworkElements
SecureCDE
General Access challenge
PCI-DSS challengeGeneral Access
L3 VSNSecureAccessAuthentication
Access ONLY!
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 12
Anatomy of a Layer 3 Stealth Network (IP VPN)
A SPB I-SID that is associated with End VRF’s Multiple IP subnets – completely separate & private IP forwarding
environment Provides for a closed IP internet environment
VLANVLANI-SID
Secure L3 “Stealth” Network (IP VPN)Subnet A Subnet B
VRFVRF
Fabric Connect Cloud
http://www.youtube.com/watch?v=umR6u5VVdGU
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 13
Anatomy of a Layer 2 Stealth Network
A SPB I-SID that is associated with End VLAN’s No IP addresses assigned* Provides for a closed non-IP or single subnet IP based network Typically when used within the Data Center for PCI-DSS systems*
VLANVLANI-SID
Secure L2 “Stealth” Network
No IPNo IP
Fabric Connect Cloud
http://www.youtube.com/watch?v=pGSYmqAbjBU
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 14
End-to-End Usage of Stealth networks for PCI-DSS Compliance – Example Topology
L3 VSN’s are used and terminated at the field service edge – Alternately ‘Stealth’ L2 VSN’s can also be used
‘Stealth’ L2 VSN’s are used within the Secure Data Center Identity Engines provides for access control and protection of the PCI-DSS
environment
VLANVLAN I-SID
Secure L3 “Stealth” Network (IP VPN)
Subnet A Subnet B
VRFVRF
Fabric Connect Cloud
FW/IDS
Secure L2 “Stealth” Networks
Core DistributionData Center
PCA-DSSApplication(Client)
IDE
PCA-DSSApplication(Server)
Secure Single Port
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 15
Fully Virtualized Security Perimeter
Data Center VRFs* *optional
Data Center Top of Rack
Secure L3 VSN
FabricConnect
Data Center 1 Data Center 2
VirtualizedSecurityPerimiter
Secure L2 VSNs
CoreNetwork
SecureData Center Firewalls
IDS/IPS
VLANsVLANsVLANs
Secure End User VLANSecure End User VLAN
VLAN
VLAN
VLAN
Other user VLANsOther user VLANs
IDE
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 16
Fully Virtualized Security Perimeter
Data Center VRFs* *optional
Data Center Top of Rack
FabricConnect
Data Center 1 Data Center 2
Secure L2 VSNs
CoreNetwork
SecureData Center
VLANsVLANs
Secure End User VLANSecure End User VLAN
VLAN
VLAN
VLAN
Other user VLANsOther user VLANsSecure L3 VSN
VLAN
VLAN
VLAN
VirtualizedSecurityPerimiter
Firewalls
IDS/IPSIDE IDE
Card Holder Data Environment
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 17
The scoop on Sampling…
Sampling allows for the ability to drastically reduce the overall complexity (and cost) of compliance
Requires consistency and modularity in order to provide for maximum return
Modules of the overall solution can be built and templated. Faithful reproduction is strictly required!
Can drastically reduce compliance costs and ongoing maintenance BEWARE! Small divergence in details CAN cause NON-
COMPLIANCE i.e. PA-DSS app. “A” on OS “1” is different from PA-DSS app. “A” on OS
“2” Or storage on FC is different from iSCSI or NAS
V 3.0 increases focus on end to end validation of CDE. Templates and consistency are more important than ever!
Penetration testing methods should be developed and documented
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 18
As per ‘Appendix D’… does not change in v3.0
Fabric Connectaddresses all segmentation requirements!
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 19
Modularity and Sampling Concept
VLANVLAN I-SID
Secure L3 “Stealth” Network (IP VPN)
Subnet A Subnet B
VRFVRF
Fabric Connect Cloud
FW/IDS
Secure L2 “Stealth” Networks
Core DistributionData Center
PCA-DSSApplication(Client)
IDE
PCA-DSSApplication(Server)
Secure Single Port
Remote site systemsApp/OSSwitch/Network
Network Distribution Systems
Firewall/IDSSecurity Demarcation
Data Center Systems
Compute Systems
Storage Systems
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF
Validation requirements for Merchants
20
Network Scan SAQ Site Audit
MasterCard VISA Discover AMEX
6M
2.5M
1M
50K
Level 4 Level 1
#’s oftransactions
Quarterly external scan performed by ASV
Yearly self-assessment questionnaire
Yearly on-site assessment by QSA or ISA
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF
Validation requirements for Service Providers
21
Network Scan SAQ Site Audit
MasterCard VISA Discover AMEX
2.5M
300K
50K
Level 4 Level 1
#’s oftransactions
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 22
PCI-DSS Compliance Design Checklist Terminate L3 VSN’s as close to the edge as possible
When it is not possible. Extend to edge with Secure “Stealth” L2 VSN’s off of the VRF*
When using Stealth L2 VSN’s terminate only POS end points to the security demarcation
Limit port membership into Security Demarcation points. Single port per endpoint ideally
Limit port memberships to ONLY point of sale endpoints IDE can provide for complete assurance of proper network placement and ID
Management of PA-DSS systems. Be sure to limit ONLY point of sale applications to the CDE Validate Firewall Security Policy Databases at ALL demarcations (TEST!) Any public Internet or Wireless usage will require encryption
MACsec can be used for Ethernet Trunk protection where required IPSec and SSL VPN can be used for secure remote VPN
Develop a detailed network diagram of how the CDE relates to the whole network topology with a focus on isolation methods Highlight Card Holder Data flow
* Multicast is NOT supported in this configuration
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 23
In Conclusion…
While IP Virtual Private Networks are nothing new, Avaya takes the concept to a new level with Fabric Connect
Flexible and nimble service extensions and nodal mutability lend itself to an incredibly mobile secure networking paradigm “Stealth” Networking – Fast, nimble and invisible
“Stealth” Networks can be used to facilitate traditional privacy concerns such a PCI and HIPAA compliance
Next generation private network requirements such as mobility for emergency response, military and/or field based operations
Avaya’s Fabric Connect can deliver all modes of secure private connectivity Layer 2 requirements Layer 3 requirements Mobile requirements
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF#AvayaATF
Thank You!Ed Koehler You Tube Channel - https://www.youtube.com/channel/UCn8AhOZU3ZFQI-YWwUUWSJQBlog – http://edkoehler.wordpress.com/
© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF
BE SURE TO TWEET YOUR FEEDBACK ON THIS PRESENTATION
#AvayaATF
25
BEST OF ATF SPEAKER AND TEAM AWARD
Winners will be announced at closing of event
#AvayaATF
top related