Beruflich Dokumente
Kultur Dokumente
1. https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-1.pdf
2. http://www.verizonenterprise.com/resources/report/rp_pci-report-2015_en_xg.pdf
3. Source: Poll Shows Broad Impact of Cyberattacks, Wall Street Journal December 2014
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 1
USE CASE: Simplify PCI Compliance With Network Segmentation
Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever the
PCI requirements are updated.
Reduce the number of system components and processes that must be periodically audited to demonstrate compliance.
Reduce and simplify management of the policies, access control, and threat prevention rules that apply to the CDE.
Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations.
Greatly improve the organizations ability to contain and limit the spread of threats.
Traditional Approaches
A flat network casts a wide scope of compliance: Organizations that do not to isolate their PCI devices, like point of sale (POS) devices,
credit card-processing workstations and servers typically face more challenges during their periodic PCI assessments compared to those
that segment PCI devices. Any network segment that processes or transmits unencrypted credit card information must all meet all PCI
DSS requirements. In a flat, unsegmented network, the entire network is in scope for the PCI DSS.
VLANS were designed for traffic management, not security: Your Qualified Security Assessor (QSA) will likely agree that VLANs and
ACLs do not provide the necessary security controls to meet PCI requirements and are extremely difficult to manage at enterprise scale.
VLANs were designed for traffic management and, alone, are not capable of enforcing the control of privileged information.
Alternative security options, like legacy port-based firewalls, also fail in this regard because they are indiscriminate about the traffic
thats allowed through and do not provide the necessary visibility or controls into the actions of the users for a segment. For example,
there is no way to determine which applications are being used, which data is being accessed, or if specific users are allowed to be in a
particular segment in the first place.
It is not sufficient to merely meet PCI requirements: By its own admission, the PCI DSS provides a baseline of technical and operational
requirements for protecting cardholder data. Not only do the specified countermeasures represent a minimum standard of due care,
but also as a result of the now three-year period between revisions they often lag behind significant changes to the technology and
threat landscapes.
One self-acknowledged example of this situation is provided by the requirement to deploy anti-virus software on all systems commonly
affected by malicious software (particularly personal computers and servers) in PCI DSS section 5.1. In this case, the DSS explicitly
mentions the consideration of additional anti-malware solutionsas a supplement to the anti-virus software presumably in recogni-
tion of the poor track record such software has at stopping modern, polymorphic malware and zero-day exploits.
A second example comes from the requirement to implement stateful inspection technology as part of the solution to prohibit direct
public access between the internet and any system component in the cardholder data environment in PCI DSS section 1.3.6. Verizons
commentary on this requirement says it all: The DSS still specifies stateful-inspection firewalls, first launched in 1994. As the threats to
the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded with thousands
of out-of-date rules. To address this, vendors are now offering next generation firewalls that can validate the traffic at layers 2 to 7,
potentially allowing far greater levels of granularity in the rules.4
Specific examples aside, the key point to realize here is that its typically neces-
THREAT INTELLIGENCE
sary if not imperative for security and compliance teams to go above and CLOUD
beyond the DSS requirements in order to establish a security architecture that
more effectively addresses modern/emerging threats and more closely aligns
with their organizations tolerance for risk.
Description: CLOUD
K EN
reduce their attack surface, block all known threats with an integral threat
R
NATIVELY EXTENSIBLE
INTEGRATED
prevention engine, and quickly discover and protect against unknown threats
using the WildFire cloud-based malware analysis service. Next-generation
endpoint security capable of stopping unknown threats and automated NEXT-GENERATION ADVANCED ENDPOINT
coordination among the natively integrated solution components complete FIREWALL PROTECTION
the picture. The net result is a truly innovative platform that delivers maximum
protection for an organizations entire computing environment while greatly Figure 1: Palo Alto Networks Next-Generation
reducing the need for costly human intervention and remediation. Security Platform
4. http://www.verizonenterprise.com/pcireport/2015/
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 2
USE CASE: Simplify PCI Compliance With Network Segmentation
e
ur
C
s ct
er ru
rv st
Se fra
t
In
en
s m
er p
rv elo
Se ev
s
on
D
ta r
ks se
ti
or U
W nd
E
s ct
er ru
U ina
rv st
F
Se fra
In
t
en
s m
er p
or o
rv elo
w lt
ks
et A
Se ev
N alo
D
P
e
on
IZ
C
P
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 3
USE CASE: Simplify PCI Compliance With Network Segmentation
POS PC: PCs or registers used as as points of sale Laptop/Office PC: Mobile wireless laptops used
may be considered in scope. in departments that do not process credit card
numbers are usually considered out of scope.
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 4
USE CASE: Simplify PCI Compliance With Network Segmentation
Reference Architecture
The PCI Reference Architecture below outlines recommended zones of isolation for merchants, regardless of the size of the organiza-
tion. Security zones are logical containers for physical interfaces, VLANs, IP address ranges, or a combination thereof. The switch and
next-generation firewall icons in the diagram indicate the flexibility of using one, the other, or a combination of both types of devices to
enforce isolation all the way to the Ethernet jack, or access point.
ZONE: Voice
Next-Generation
Firewall
Router
Data Center/WAN
Implementation Overview
Products required:
Next-Generation Firewall
Threat Prevention Subscription
WildFire Subscription
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 5
USE CASE: Simplify PCI Compliance With Network Segmentation
r
s e
er ld
rv ho
Se ard
C
e
ur
rs ce
s ct
se n
er ru
U ina
rv st
F
Se fra
In
t
en
s m
er p
or o
rv elo
w lt
ks
et A
Se ev
N alo
D
P
e
on
IZ
C
P
Figure 4: Segmented network with Palo Alto Networks isolates cardholder data
Next, define your PCI zones. Dont worry, its pretty straightforward.
Security zones are logical containers for physical interfaces, VLANs, IP address ranges, or a combination thereof. Security zones are
utilized in next-generation firewall security policies to clearly identify one or more source and destination interfaces on the platform.
Each interface on the firewall must be assigned to a security zone before it can process traffic. This allows organizations to create
security zones to represent different segments being connected to, and controlled by, the firewall. For example, security administrators
can allocate all cardholder or patient data repositories in one network segment identified by a security zone (like the Cardholder Data
Environment or CDE Zone). Then the administrator can craft security policies that only permit certain users, groups of users, specific
applications, or other security zones to access the CDE zone thereby preventing unauthorized internal or external access to the data
stored in that segment.
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 6
USE CASE: Simplify PCI Compliance With Network Segmentation
Figure 6 shows the options available when you select Create a Zone. You need to associate the zone with at least one interface, and
select the Zone Protection Profile and Log Setting options. If you want to restrict or block access to the Zone by IP ranges, you can
complete the ACL options on the right side.
Once youve created your PCI zone, you need to define rules to allow/block access to it. Figure 3 shows an example of how easy it is for
administrators to define straightforward rules to control access to zones.
The first rule, titled PCI, allows users in the Users zone who are in the Finance Active Directory security group to access the
Oracle application in the CC_Servers zone.
The second rule blocks any other users from accessing the CC_Servers zone and logs them.
Figure 6: Two example rules to isolate and protect cardholder data in CC_Servers Zone
Figure 7: Step-by-step screenshots showing creation of two rules to isolate and protect cardholder data in a PCI Zone
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 7
USE CASE: Simplify PCI Compliance With Network Segmentation
Internal Zone
Non-POS PA-7050
Devices in L3 mode
VL9
0
VL90
PCI Zone
POS Devices VL170
Internet
Distribution Core Switches Edge PA-5050 Public Routers
0 Switches in L3 mode
17
VL
PA-7050
in L3 mode
The above diagram shows how an actual customer, a hospital, deployed next-generation firewalls to isolate point-of-sale devices from
the rest of their network and effectively reduce the scope of compliance to include only the devices within the PCI Zone.
The customer architecture incorporates two redundant PA-7050s in Layer 3 mode hanging off a Cisco distribution switch. A PCI zone
is configured in the NGFW to include VL170, which contains all the POS devices. The customer used several other zones to isolate
various devices on their network, but for simplicity, we will only show the internal and PCI zones. The internal zone is configured in the
NGFW to include VL90, which is the primary internal network where non-POS devices connect. Traffic between the internal and PCI
zones is controlled by a PCI Security Policy defined in PAN-OS.
Fueling Stations Amazon Web Services Virtual Private Cloud Customer Data Center
Customers clients with self-managed IT On Premise
GlobalProtect
Location 2 OSP
GP GP and VM-Series
NGFW in AWS Data collection servers
Windows PC
Central Gateway within customer data center
used to analyze diagnostic
info from OSPs
GlobalProtect
Location 3 OSP Gateway in AWS
Windows PC West Region
The above diagram shows how an actual customer, providing fuel management system monitoring services, deployed GlobalProtect and
VM-Series virtualized next-generation firewalls into Amazon Web Services (AWS) to prevent cardholder data from entering their own
network and, hence, removed their network from the scope of PCI.
The customer monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical analy-
sis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank systems at risk
of leaks, illegal siphoning, or other potentially hazardous situations. The customer installs remote data collection devices on each fuel
stations local network. These devices are minimally configured network appliances called on-site processors (OSPs). The OSPs collect
data from every dispenser, tank and line at the station and transmit it back to the customers data center for analysis and reporting.
The customer architecture incorporates virtual GlobalProtect Gateways in AWS for geographical optimization (one for the East region,
one for the West) and a VM-Series NGFW to block threats and cardholder data from entering their network. By preventing cardholder
data from entering their own network, they excluded their data center from the scope of PCI compliance.
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 8
USE CASE: Simplify PCI Compliance With Network Segmentation
Customer References:
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 9
USE CASE: Simplify PCI Compliance With Network Segmentation
Appendix
PCI Security Requirements Supported by the Palo Alto Networks Next-Generation Security Platform
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
following tables. All references made in this paper to specific requirements are based on PCI DSS version 3.1.
Compliance Capabilities
NEXT-GEN
PCI DSS REQUIREMENT FIREWALL WILDFIRE TRAPS
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data
Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder data across open, public networks
Requirement 5:
Protect all systems against malware and regularly update antivirus software or
programs
Requirement 6:
Develop and maintain secure systems and applications
Requirement 7:
Restrict access to cardholder data by business need to know
Requirement 8:
Identify and authenticate access to system components
Requirement 9:
Restrict physical access to cardholder data
Requirement 10:
Track and monitor all access to network resources and cardholder data
Requirement 11:
Regularly test security systems and processes
Requirement 12:
Maintain a security policy that addresses information security for
all personnel
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 10
USE CASE: Simplify PCI Compliance With Network Segmentation
IX. APPENDIX 1: PCI SECURITY REQUIREMENTS SUPPORTED BY THE PALO ALTO NETWORKS NEXT-GENERATION
SECURITY PLATFORM
The Palo Alto Networks platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized in the
following table. All references made in this paper to specific requirements are based on PCI DSS 3.1.
SUPPORTED SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 1: 1.2, 1.2.1, 1.2.3, 1.3, The Palo Alto Networks portfolio of hardware and virtual next-generation
Install and maintain a firewall 1.3.1, 1.3.2, firewalls enables definitive least-privileged access control (i.e., deny all
configuration to protect 1.3.3, 1.3.4, 1.3.5, applications, users and content except for that which is necessary) for
cardholder data 1.3.6, 1.3.7, all networks involving cardholder data. Palo Alto Networks supports all
1.3.8 sub-requirements pertaining to DMZ implementations intended to prohibit
direct public access between the internet and any CDE system.
Requirement 3: n/a This requirement focuses on reducing the amount of cardholder data stored
Protect stored cardholder data and ensuring that stored data is appropriately masked and encrypted.
Encryption alone does not protect against malware that scrapes the
unencrypted cardholder data from memory. Traps prevents exploits and
malware from launching malicious code that would try to compromise
encryptions keys or cardholder data. If key management processes do break
down, Traps provides an effective compensating control for PCI DSS
Section 3.6.
Requirement 4: 4.1, 4.2 Standards-based IPsec VPNs are supported for secure site-to-site
Encrypt transmission of cardholder connectivity, while GlobalProtect delivers secure remote access for
data across open, public networks individual users via either an TSL or IPsec-protected connection. With
its unique application, user and content identification technologies, the
Palo Alto Networks platform is also able to thoroughly and reliably control
the use of potentially risky end-user messaging technologies (e.g., email,
instant messaging, and chat) down to the level of individual functions (e.g.,
allow messages but disallow attachments and file transfers).
Requirement 5: n/a The Palo Alto Networks security platform includes advanced endpoint
Protect all systems against protection that provides a much-needed complement to legacy antivirus
malware and regularly update solutions that are largely incapable of providing protection against unknown
anti-virus software or programs malware, zero-day exploits, and advanced persistent threats (APTs).
Palo Alto Networks | Use Case l Simplify PCI Compliance With Network Segmentation 11
USE CASE: Simplify PCI Compliance With Network Segmentation
SUPPORTED SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 7: 7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users and content,
Restrict access to cardholder data regardless of the users device or location, enables organizations to
by business need to know implement definitive, least-privileged access control that truly limits access
to cardholder data based on business need to know, with deny all for
everything else. Tight integration with Active Directory and other identity
stores, plus support for role-based access control, enables enforcement of
privileges assigned to individuals based on job classification and function.
Requirement 8: 8.1, 8.1.1, 8.1.3, Native capabilities and tight integration with Active Directory and other
Identify and authenticate access to 8.1.4, 8.1.6, identity stores support a wide range of authentication policies, including:
system components 8.1.7, 8.1.8, 8.2, use of unique user IDs, immediate revocation for terminated users, culling
8.2.1, 8.2.3, of inactive accounts, lockout after a specified number of failed login
8.2.4, 8.2.5, 8.3, 8.5, attempts, lockout duration, idle session timeouts, and password reset and
8.6 minimum strength requirements. Support is also provided for several forms
of multi-factor authentication, including tokens and smart cards.
Requirement 10: 10.1, 10.2, 10.2.1, Palo Alto Networks Next-Generation Security Platform maintains
Track and monitor all access 10.2.2, 10.2.3, extensive logs/audit trails for WildFire, configurations, system changes,
to network resources and 10.2.4, 10.2.5, 10.2.6, alarms, traffic flows, threats, URL filtering, data filtering, and Host
cardholder data 10.2.7, 10.3, Information Profile (HIP) matches. The solution also supports both daily
10.3.1, 10.3.2, 10.3.3, and periodic review of log data with both native, customizable reporting
10.3.4, capabilities and the ability to write log data to a syslog server for archival
10.3.5, 10.3.6, 10.4, and analysis by third-party solutions (including popular security event and
10.6, 10.6.1, information management systems, such as Splunk).
10.6.2, 10.6.3,
Requirement 11: 11.4 Palo Alto Networks Next-Generation Security Platform fully inspects all
Regularly test security systems allowed communication sessions for threat identification and prevention. A
and processes single, unified threat engine delivers intrusion prevention (IPS), stream-
based antivirus prevention, and blocking of unapproved file types and
data. The cloud-based WildFire engine extends these capabilities further
by identifying and working in conjunction with on-premise components
to prevent unknown and targeted malware and exploits. The net result is
comprehensive protection from all types of threat in a single pass of traffic.
4401 Great America Parkway 2016 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Santa Clara, CA 95054 Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.
Main: +1.408.753.4000 com/company/trademarks.html. All other marks mentioned herein may be trademarks
Sales: +1.866.320.4788 of their respective companies. pci-compliance-with-network-segmentation-uc-090116
Support: +1.866.898.9087
www.paloaltonetworks.com