pci wireless compliance with airtight wips · pci wireless compliance with airtight wips 11.4 use...

A i r T i g h t N e t w o r k s W H I T E P A P E R

© 2013 AirTight Networks, Inc. All rights reserved.

PCI Wireless Compliance with AirTight WIPS

A White Paper by AirTight Networks, Inc.

339 N. Bernardo Avenue, Suite 200, Mountain View, CA 94043

www.airtightnetworks.com


© 2013 AirTight Networks, Inc. All rights reserved. 2


Introduction

Recent incidents have highlighted the growing popularity of wireless among cybercriminals to gain sensitive data from both wired and wireless networks. The TJX incident — the largest known wireless security breach in the U.S. history — is a prime example. Hackers used unsecured wireless as an entry point to access TJX networks worldwide. Over 90 million credit- and debit-card records and personal information such as social security numbers, driver’s license numbers, and military identification of more than 451,000 customers were stolen. A total of nine retail chains — including Office Max, Boston Market, Barnes & Noble, Sports Authority, Forever 21, and DSW — were victims of this heist. Forrester Research estimated the cost incurred to cover financial losses and lawsuit settlements to be one billion dollars.

Notably the wireless networks that were hacked during this incident were not necessarily being used for processing cardholder data, but were connected to wired networks that were part of the cardholder data environment (CDE). This highlighted the need to comprehensively secure the CDE against all types of wireless threats including those initiated outside it and those initiated from “Rogue” wireless access points and clients installed unofficially inside the CDE.

The Payment Card Industry Security Standards Council (PCI SSC) responded promptly by releasing the version 1.2 of the PCI Data Security Standard (PCI DSS) in October 2008, later amended to the version 2.0 in October 2010. The PCI SSC’s Wireless Special Interest Group (SIG) complemented these efforts with a PCI DSS Wireless Guideline document in July 2009 that clarified the wireless security requirements for the PCI compliance, and provided guidance on implementing the wireless security measures for protecting the CDE.

This document describes how AirTight WIPS helps organizations achieve compliance with the wireless security sections of the PCI DSS 2.0 standard.

“Although [use of a wireless analyzer for scanning] is technically possible for a small number of locations, it is often operationally tedious, error-prone, and costly for organizations that have several CDE locations. For large organizations, it is recommended that wireless scanning be automated with a wireless IDS/IPS system.

- PCI Wireless Security Standards Council Wireless SIG

”




AirTight WIPS Architecture

AirTight WIPS consists of wireless security monitoring Sensors installed at the distributed locations. The Sensors continuously scan the wireless environment in their neighborhood and report the summarized information to the centralized Server. The Server provides centralized web-based console for system configuration, to view and act on scan data and alerts, and to schedule and generate PCI compliance reports. The Sensors can also act as APs to provide Wi-Fi access.

Distributed Sensors communicate with the Server using AirTight’s lightweight and secure SpectraTalk™ protocol. Alternatively, SSL is also supported for Sensor-Server communication.

Location- and brand- context aware centralized console facilitates ease of management.

AirTightSensor/AP

AirTight Server

Central Location

Console

Notification




PCI DSS 2.0 Compliance with AirTight WIPSRequirements Applicable to All CDEs:

PCI DSS Requirement Testing Procedures How AirTight Meets the Requirement

11.1 Test for the presence of wireless access points and detect unauthorized wireless access points on a quarterly basis.

Note: Methods that may be used in the process include but are not limited to wireless network scans, physical/logical inspections of system components and infrastructure, network access control (NAC), or wireless IDS/IPS.

Whichever methods are used, they must be sufficient to detect and identify any unauthorized devices.

11.1.a Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis.

11.1.a Sensors continuously scan wireless environment to detect and report wireless devices (APs, clients and their connections) visible in the wireless neighborhood.

11.1.b Verify that the methodology is adequate to detect and identify any unauthorized wireless access points, including at least the following:

• WLAN cards inserted into system components

• Portable wireless devices connected to system components (for example, by USB, etc.)

• Wireless devices attached to a network port or network device

11.1.b All types of unauthorized wireless devices (including all commercially available AP devices, and portable USB, PCMCIA and soft APs running on the end user devices) connected to the monitored network are detected.

At the same time, legitimate neighborhood APs in the surrounding that do not pose any threat are positively identified to eliminate false positives on Rogue APs.

This is facilitated by accurate and lightweight (not requiring interaction with the managed switches) AP network connectivity detection using AirTight’s unique patented Marker Packet™ technology, which uses active packet injection to positively test AP’s network connectivity to the monitored network.

11.1.c Verify that the documented process to identify unauthorized wireless access points is performed at least quarterly for all system components and facilities.

11.1.c The unauthorized AP detection as described above works on a continuous basis. The unauthorized APs within the radio coverage of the Sensor and connected anywhere on the subnets monitored by the Sensor are detected as Rogue APs.

11.1.d If automated monitoring is utilized (for example, wireless IDS/IPS, NAC, etc.), verify the configuration will generate alerts to personnel.

11.1.d Alert notification is supported in a number of ways:

• Alert display on console • Email to administrator • Inclusion of the PCI related alerts in the pre-configured PCI wireless

compliance report • SNMP, syslog, ArcSight notification (AirTight only)

The pre-configured PCI wireless compliance report also catches any mis-configurations of the PCI related alert notification options.

11.1.e Verify the organization’s incident response plan (Requirement 12.9) includes a response in the event unauthorized wireless devices are detected.

11.1.e and 12.9 Following facilities are provided to implement the incident response plan:

• Alert notification to the administrator. Various notification options as described above are supported.

• Automatic prevention policy to instantly block the communication of the detected unauthorized wireless devices. Alternatively, the device blocking can also be manually triggered from the console.

• Smart Forensics™ wizard maintains an audit trail and lets admin-istrator or auditor view information about the incident such as devices involved, duration of incident, and actions taken by the AirTight system or the administrator.

The pre-configured PCI wireless compliance report also catches any mis-configurations of the PCI related incident response actions.

12.9 Implement an incident response plan. Be prepared to respond immediately to a system breach.

12.9 Obtain and examine the Incident Response Plan and related procedures [snip] ...




Requirements Applicable to CDEs Encompassing Authorized WLAN:

PCI DSS Requirement Testing Procedures How AirTight Meets the Requirement

2.1.1 For wireless environments connected to the cardholder data environment or transmitting cardholder data, change wireless vendor defaults, including but not limited to default wireless encryption keys, passwords, and SNMP community strings.

2.1.1 Verify the following regarding vendor default settings for wireless environments:

2.1.1 SNMP access is disabled on AirTight Sensor/APs.

Also, AirTight Sensor/APs do not ship with any default encryption keys or passwords.

AirTight Sensor/APs support latest industry standard encryption and authentication protocols, as follows:

• WPA2 [AES encryption and 802.1x or PSK authentication],

• WPA [TKIP encryption and 802.1x or PSK au-thentication],

• WEP is supported, but not recommended.

2.1.1.a Verify encryption keys were changed from default at installation, and are changed anytime anyone with knowledge of the keys leaves the company or changes positions.

2.1.1.b Verify default SNMP community strings on wireless devices were changed.

2.1.1.c Verify default passwords/passphrases on access points were changed.

2.1.1.d Verify firmware on wireless devices is updated to support strong encryption for authentication and transmission over wireless networks.

2.1.1.e Verify other security-related wireless vendor defaults were changed, if applicable.

4.1.1 Ensure wireless networks transmitting cardholder data or connected to the cardholder data environment, use industry best practices (for example, IEEE 802.11i) to implement strong encryption for authentication and transmission.

Note: The use of WEP as a security control was prohibited as of 30 June 2010.

4.1.1 For wireless networks transmitting cardholder data or connected to the cardholder data environment, verify that industry best practices (for example, IEEE 802.11i) are used to implement strong encryption for authentication and transmission.

4.1.1 Any authorized APs using Open, WEP, or WPA encryption are detected and corresponding notifications are included in the pre-configured PCI wireless compliance report. In addition, compliance of AP authentication and encryption with the configured wireless security policy (802.11i) is constantly monitored. In case of a mismatch, an alert is generated on the mis-configured AP, and optionally, the AP’s communication can be automatically blocked.

10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN.

10.5.4 Verify that logs for external-facing technologies (for example, wireless, firewalls, DNS, mail) are offloaded or copied onto a secure centralized internal log server or media.

10.5.4 AirTight supports automatic daily/weekly/monthly backup for the system data including events, listing of detected devices, archived reports, and system configuration.

Continued on next page ,,,




11.4 Use intrusion-detection systems, and/or intrusion-prevention systems to monitor all traffic at the perimeter of the cardholder data environment as well as at critical points inside of the cardholder data environment, and alert personnel to suspected compromises.Keep all intrusion-detection and prevention engines, baselines, and signatures up-to-date.

11.4.a Verify the use of intrusion-detection systems and/or intrusion-prevention systems and that all traffic at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment is monitored.

11.4a AirTight WIPS and AirTight Cloud Services are complete wireless intrusion detection/prevention systems (WIPS). In particular, the unauthorized APs within the radio coverage of the Sensor and connected anywhere on the subnets monitored by the Sensor are detected. Single Sensor can monitor multiple subnets (VLANs), including the PCI VLAN and other VLANs sharing switch resources with the PCI VLAN, for unauthorized wireless devices. In addition, AirTight also offers protection against all other wireless threats such as mis-associating clients, honeypot APs, ad hoc connections, DoS attacks, MAC spoofing, cracking etc.

11.4.b Confirm IDS and/or IPS are configured to alert personnel of suspected compromises.

11.4b The pre-configured PCI audit report catches any mis-configurations of the PCI related alerts.

11.4.c Examine IDS/IPS configurations and confirm IDS/IPS devices are configured, maintained, and updated per vendor instructions to ensure optimal protection.

11.4c In AirTight Clould Services, the IDS/IPS server is hosted in the AirTight datacenter and managed by the AirTight personnel, and it is kept up to date with the latest version of software and intrusion detection parameters. In case of AirTight WIPS, notifications are sent to the customers whenever newer versions of software/patches are available.


The Global Leader in Secure Wi-Fi Solutions

AirTight Networks, Inc. 339 N. Bernardo Avenue #200, Mountain View, CA 94043 T +1.877.424.7844 T 650.961.1111 F 650.961.1169 www.airtightnetworks.com [email protected]

© 2013 AirTight Networks, Inc. All rights reserved. AirTight Networks and the AirTight Networks logo are trademarks, and AirTight is a registered trademark of AirTight Networks, Inc. All other trademarks mentioned herein are properties of their respective owners. Specifications are subject to change without notice.

AirTight Networks is a global provider of secure Wi-Fi solutions that combine its patented and industry-leading wireless intrusion prevention system (WIPS) technology with the next generation cloud-managed, controller-less Wi-Fi architecture. This unified approach allows enterprises for the first time to benefit from Wi-Fi access while concurrently protecting their networks 24/7 from wireless threats at no additional cost. AirTight’s customers include global enterprises across virtually all industries and range from those who overlay AirTight WIPS™ on top of other WLAN solutions, to those who leverage the AirTight Cloud Services™ to manage AirTight Wi-Fi™, WIPS, and regulatory compliance (e.g., PCI) across tens of thousands of locations from a single console. AirTight owns 29 granted U.S. and international patents on WIPS and cloud-managed wireless security, with more than 20 additional patents pending. For more information, please visit: www.airtightnetworks.com.

AirTight is a registered trade mark of AirTight Networks, Inc. AirTight Networks, AirTight Networks logo, AirTight Cloud Services and AirTight Secure Wi-Fi are trademarks. All other trademarks are the property of their respective owners.

A b o u t

A i r T i g h t N e t w o r k s


pci wireless compliance with airtight wips · pci wireless compliance with airtight wips 11.4 use...

Documents