© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF.

Slides:

Advertisements

Similar presentations

Approaches to meeting the PCI Vulnerability Management and Penetration Testing Requirements Clay Keller.

Advertisements

Surviving the PCI Self -Assessment James Placer, CISSP West Michigan Cisco Users Group Leadership Board.

Payment Card Industry Data Security Standard Tom Davis and Chad Marcum Indiana University.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Troy Leach April 2012 The PCI Security Standards Council.

PCI:DSS What is it, and what does it mean to you? Dale Pearson 17 th November 2009.

Notes: Update as of 1/13/2010. Vulnerabilities are included for SQL Server 2000, SQL Server 2005, SQL Server Oracle (8i, 9i, 9iR2, 10g, 10gR2,11g),

Stealth Networks- Private and Secure Networking for Critical Assets & Infrastructure July 2014 Ed Koehler - Avaya.

JEFF WILLIAMS INFORMATION SECURITY OFFICER CALIFORNIA STATE UNIVERSITY, SACRAMENTO Payment Card Industry Data Security Standard (PCI DSS) Compliance.

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

PCI Compliance Forrest Walsh Director, Information Technology California Chamber of Commerce.

Property of the University of Notre Dame Navigating the Regulatory Maze: Notre Dame’s PCI DSS Solution EDUCAUSE Midwest Regional Conference March 17, 2008.

Security Controls – What Works

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance Commonwealth of Massachusetts Office of the State Comptroller March 2007.

Defense-in-Depth Against Malicious Software Jeff Alexander IT Pro Evangelist Microsoft Australia

GPUG ® Summit 2011 November 8-11 Caesars Palace – Las Vegas, NV Payment Processing Online and Within Dynamics GP PCI Compliance and Secure Payment Processing.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Notes: Update as of 12/31/2010 inclusive. Chart counts NIST CVE – Reported Software Flaws by “published” date, utilizing the NIST NVD. SQL Server.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Kevin R Perry August 12, Part 1: High Level Changes & Clarifications.

Stephen S. Yau CSE , Fall Security Strategies.

Why Comply with PCI Security Standards?

Payment Card Industry (PCI) Data Security Standard

PCI's Changing Environment – “What You Need to Know & Why You Need To Know It.” Stephen Scott – PCI QSA, CISA, CISSP

Database Administration Chapter 16. Need for Databases  Data is used by different people, in different departments, for different reasons  Interpretation.

Payment Card Industry Data Security Standard (PCI DSS) By Roni Argetsinger

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

PCI DSS Managed Service Solution October 18, 2011.

The Right Choice for Call Recording OAISYS and PCI DSS Compliance Managing Payment Card Industry Compliance with OAISYS Call Recording Solutions.

The influence of PCI upon retail payment design and architectures Ian White QSA Head of UK&I and ME PCI Team September 4, 2013 Weekend Conference 7 & 8.

An Introduction to PCI Compliance. Data Breach Trends About PCI-SSC 12 Requirements of PCI-DSS Establishing Your Validation Level PCI Basics Benefits.

NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.

SEC835 Database and Web application security Information Security Architecture.

Intranet, Extranet, Firewall. Intranet and Extranet.

PCI requirements in business language What can happen with the cardholder data?

Credit Card Processing Gail “Montreal” Shoffey Keeler August 14, 2007.

Introduction to Payment Card Industry Data Security Standard

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Introduction To Plastic Card Industry (PCI) Data Security Standards (DSS) April 28,2012 Cathy Pettis, SVP ICUL Service Corporation.

Module 14: Configuring Server Security Compliance

1 CISCO SAFE: VALIDATED SECURITY REFERENCE ARCHITECTURE What It Is Business Transformation Top Questions To Ask To Initiate The Sale Where It Fits KEY.

PCI Compliance: The Gateway to Paradise PCI Compliance: The Gateway to Paradise.

Unit 6b System Security Procedures and Standards Component 8 Installation and Maintenance of Health IT Systems This material was developed by Duke University,

Network and Perimeter Security Paula Kiernan Senior Consultant Ward Solutions.

Ali Pabrai, CISSP, CSCS ecfirst, chairman & ceo Preparing for a HIPAA Security Audit.

Data Security and Payment Card Acceptance Presented by: Brian Ridder Senior Vice President First National September 10, 2009.

12 Steps to Cloud Security A guide to securing your Cloud Deployment Vishnu Vettrivel Principal Engineering Lead,

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

5/18/2006 Department of Technology Services Security Architecture.

Security fundamentals Topic 10 Securing the network perimeter.

1 Payment Card Industry (PCI) Security Standard Developed by the PCI Security Council formed by major card issuers: Visa, MasterCard, American Express,

Introducing Novell ® Identity Manager 4 Insert Presenter's Name (16pt) Insert Presenter's Title (14pt) Insert Company/ (14pt)

Standards in Use. EMV June 16Caribbean Electronic Payments LLC2.

By: Matt Winkeler.  PCI – Payment Card Industry  DSS – Data Security Standard  PAN – Primary Account Number.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit.

Managed IT Services JND Consulting Group LLC

Payment Card Industry Data Security Standards

Security fundamentals

Payment Card Industry (PCI) Rules and Standards

Performing Risk Analysis and Testing: Outsource or In-house

PCI-DSS Security Awareness

Lab A: Planning an Installation

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Internet Payment.

Session 11 Other Assurance Services

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Payment Card Industry (PCI) Data Security Standard (DSS) Compliance

Contact Center Security Strategies

Designing IIS Security (IIS – Internet Information Service)

Presented by: Jeff Soukup

Presentation transcript:

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF May 14 th -16 th, 2014 І Singapore #AvayaATF © 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. Designing and Implementing a PCI-DSS Compliant Network using ‘Stealth’ Networks with Avaya Fabric Connect Ed Koehler – Director – WW DSE Distinguished Engineer

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Privacy in a Virtualized World  Network and Service Virtualization have transformed the IT industry  Cloud Services  Software Defined Networking  Security and privacy concerns are being expressed by many risk and security analysts  Regulatory compliance in a virtualized environment can be a difficult bar to reach  Examples are, PCI Compliance, HIPAA, Process flow and control (SCADA) environments, Video Surveillance 2

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF The Definition of a “Stealth” Network  Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics  The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite  Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry  “Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud  L2 Stealth  A non-IP addressed L2 VSN environment  L3 Stealth  A L3 VSN IP VPN environment 3

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Use Case Requirements for “Stealth” Networks  Networks that require isolation and security  PCI compliance  HIPAA compliance  Financial Exchanges  Video Surveillance (Unicast or Multicast)  SCADA control networks  Networks that require Services Separation  Multicast - particularly video surveillance  Bonjour  SCADA 4

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF PCI DSS Compliance Requirements See 1.Install and maintain a firewall configuration to protect cardholder data 2.Do not use vendor- supplied defaults for system passwords and other security parameters 3.Protect stored cardholder data 4.Encrypt transmission of cardholder data across open, public networks 5.Use and regularly update anti-virus software or programs 6.Develop and maintain secure systems and applications 7.Restrict access to cardholder data by business need-to-know 8.Assign a unique ID to each person with computer access 9.Restrict physical access to cardholder data 10.Track and monitor all access to network resources and cardholder data 11.Regularly test security systems and processes 12.Maintain a policy that addresses information security for employees and contractors 5

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF A Few Words on PCI DSS v 3.0…  Over 100 new controls defined!!!  Many are further clarifications on v 2.0  Main impacting changes  Inventory of all systems within Card Holder Data Environment (CDE)  Documented Card Holder data flows within CDE  Detailed penetration testing requirements  Concerns over ‘weak’ segmentation  Further detail on the role & obligations of third parties and service providers  Full network and data flow diagrams  Penetration testing that ‘matches’ CDE as is deployed  Incorporation of ‘business as usual’ PCI compliant processes and policies  Change management and audit – both technical and organizational  6

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF PCI-DSS & PA-DSS  PCI-DSS deals with the whole end to end system implementation as it is deployed.  PA-DSS (Payment Application Security Standard) defines what a compliant application must support as it is designed.  PA-DSS is derived from PCI-DSS, defines handling of:  Magnetic Stripe data  Card Verification Codes & Values  CAV2,CID,CVC2,CVV2  PIN’s & PIN Blocks  PA-DSS compliance applies to ‘off the shelf’ payment applications  Merchant or SP’s MUST certify ‘in-house’ applications! 7

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF About Network Segmentation…  While not strictly required for compliance, it is strongly recommended!  Network Segmentation can reduce:  The scope of the PCI-DSS assessment  The cost of the PCI-DSS assessment  The cost and difficulty in maintaining systems compliance  Major benefits of overall risk reduction in the systems model  All of this can be realized IF the network segmentation is secure and properly designed!  Proper design leads to consistency and modularity  Allows for the streamlining of compliance by the use of sampling 8

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF What version 3.0 has to say about segmentation and CDE (Card Holder Data Environments)  CDE includes all people, processes and technology  Validation on ‘where’ Card Holder Data exists  Trace processes and systems  Develop flow diagrams of interacting systems & CHD  Develop documented penetration testing specific to the CDE  ‘Hack Attack’ methodologies  Ongoing evaluation of threats/vulnerabilities/risk  The more technologies involved in CDE the more penetration testing required!  Fabric Connect used end to end eliminates most if not all other network technologies  Fabric Connect (IEEE 802.1aq)  Can significantly reduce ACL requirements and enhance data flow validation!  Firewalls/IDS  Servers/Storage and POS  Authentication -> Identity Engines!  Management applications!* * Important consideration to ‘lock down’ the mgmnt. environment. If it manages a system in the CDE. It is part of the CDE! 9

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Identity Engines & Fabric Connect Support for PCI Compliance – includes v 3.0 requirments!  There is no PCI ‘product’. Reports must be submitted to prove compliance.  Identity aware networking systems can play a key role as one of the PCI Enforcement Tools to ensure that the PCI audits will prove successful.  Payment Card data should be segmented and access control should be used to ensure only authorized resources have access to the Payment Card Data Network. Control ObjectivesPCI DSS Requirements Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software on all systems commonly affected by malware 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need-to-know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security PCI StandardsPCI Enforcement Tools PCI Validation Audit PCI Audit Report (*) Supported by Identity Engines 10

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Identity Management and the ‘Series of Gates’ Security Concept End User Identity Broker (IDE) Fabric Connect Network Elements Secure CDE General Access challenge PCI-DSS challenge General Access L3 VSN Secure Access Authentication Access ONLY! 11

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Anatomy of a Layer 3 Stealth Network (IP VPN)  A SPB I-SID that is associated with End VRF’s  Multiple IP subnets – completely separate & private IP forwarding environment  Provides for a closed IP internet environment VLAN I-SID Secure L3 “Stealth” Network (IP VPN) Subnet ASubnet B VRF Fabric Connect Cloud 12

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Anatomy of a Layer 2 Stealth Network  A SPB I-SID that is associated with End VLAN’s  No IP addresses assigned*  Provides for a closed non-IP or single subnet IP based network  Typically when used within the Data Center for PCI-DSS systems* VLAN I-SID Secure L2 “Stealth” Network No IP Fabric Connect Cloud 13

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF End-to-End Usage of Stealth networks for PCI-DSS Compliance – Example Topology  L3 VSN’s are used and terminated at the field service edge – Alternately ‘Stealth’ L2 VSN’s can also be used  ‘Stealth’ L2 VSN’s are used within the Secure Data Center  Identity Engines provides for access control and protection of the PCI-DSS environment VLAN I-SID Secure L3 “Stealth” Network (IP VPN) Subnet ASubnet B VRF Fabric Connect Cloud FW/IDS Secure L2 “Stealth” Networks Core DistributionData Center PCA-DSS Application (Client) IDE PCA-DSS Application (Server) Secure Single Port 14

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Fully Virtualized Security Perimeter Data Center VRFs* *optional Data Center Top of Rack Secure L3 VSN Fabric Connect Data Center 1 Data Center 2 Virtualized Security Perimiter Secure L2 VSNs Core Network Secure Data Center Firewalls IDS/IPS VLANsVLANs VLANs Secure End User VLAN VLAN VLAN VLAN Other user VLANs IDE 15

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Fully Virtualized Security Perimeter Data Center VRFs* *optional Data Center Top of Rack Fabric Connect Data Center 1Data Center 2 Secure L2 VSNs Core Network Secure Data Center VLANs Secure End User VLAN VLAN Other user VLANs Secure L3 VSN VLAN Virtualized Security Perimiter Firewalls IDS/IPS IDE Card Holder Data Environment 16

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF The scoop on Sampling…  Sampling allows for the ability to drastically reduce the overall complexity (and cost) of compliance  Requires consistency and modularity in order to provide for maximum return  Modules of the overall solution can be built and templated. Faithful reproduction is strictly required!  Can drastically reduce compliance costs and ongoing maintenance  BEWARE! Small divergence in details CAN cause NON- COMPLIANCE  i.e. PA-DSS app. “A” on OS “1” is different from PA-DSS app. “A” on OS “2”  Or storage on FC is different from iSCSI or NAS  V 3.0 increases focus on end to end validation of CDE. Templates and consistency are more important than ever!  Penetration testing methods should be developed and documented 17

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF As per ‘Appendix D’… does not change in v3.0 Fabric Connect addresses all segmentation requirements! 18

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Modularity and Sampling Concept VLAN I-SID Secure L3 “Stealth” Network (IP VPN) Subnet ASubnet B VRF Fabric Connect Cloud FW/IDS Secure L2 “Stealth” Networks Core DistributionData Center PCA-DSS Application (Client) IDE PCA-DSS Application (Server) Secure Single Port Remote site systems App/OS Switch/Network Network Distribution Systems Firewall/IDS Security Demarcation Data Center Systems Compute Systems Storage Systems 19

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Validation requirements for Merchants 20 Network ScanSAQ Site Audit MasterCardVISA Discover AMEX 6M 2.5M 1M 50K Level 4 Level 1 #’s of transactions Quarterly external scan performed by ASV Yearly self-assessment questionnaire Yearly on-site assessment by QSA or ISA

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Validation requirements for Service Providers 21 Network ScanSAQ Site Audit MasterCardVISA Discover AMEX 2.5M 300K 50K Level 4 Level 1 #’s of transactions

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF PCI-DSS Compliance Design Checklist  Terminate L3 VSN’s as close to the edge as possible  When it is not possible. Extend to edge with Secure “Stealth” L2 VSN’s off of the VRF*  When using Stealth L2 VSN’s terminate only POS end points to the security demarcation  Limit port membership into Security Demarcation points.  Single port per endpoint ideally  Limit port memberships to ONLY point of sale endpoints  IDE can provide for complete assurance of proper network placement and ID Management of PA-DSS systems.  Be sure to limit ONLY point of sale applications to the CDE  Validate Firewall Security Policy Databases at ALL demarcations (TEST!)  Any public Internet or Wireless usage will require encryption  MACsec can be used for Ethernet Trunk protection where required  IPSec and SSL VPN can be used for secure remote VPN  Develop a detailed network diagram of how the CDE relates to the whole network topology with a focus on isolation methods  Highlight Card Holder Data flow * Multicast is NOT supported in this configuration 22

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF In Conclusion…  While IP Virtual Private Networks are nothing new, Avaya takes the concept to a new level with Fabric Connect  Flexible and nimble service extensions and nodal mutability lend itself to an incredibly mobile secure networking paradigm  “Stealth” Networking – Fast, nimble and invisible  “Stealth” Networks can be used to facilitate traditional privacy concerns such a PCI and HIPAA compliance  Next generation private network requirements such as mobility for emergency response, military and/or field based operations  Avaya’s Fabric Connect can deliver all modes of secure private connectivity  Layer 2 requirements  Layer 3 requirements  Mobile requirements 23

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF Ed Koehler You Tube Channel - n8AhOZU3ZFQI-YWwUUWSJQ n8AhOZU3ZFQI-YWwUUWSJQ Blog – / /

© 2014 Avaya Inc. Avaya – Confidential & Proprietary Do not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF BE SURE TO TWEET YOUR FEEDBACK ON THIS PRESENTATION #AvayaATF 25 Winners will be announced at closing of event

#AvayaATF