ed koehler – director – ww dse distinguished engineer

© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF

May 14th-16th , 2014 І Singapore

#AvayaATF© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya.

Designing and Implementing a PCI-DSS Compliant Network using ‘Stealth’ Networks with Avaya Fabric ConnectEd Koehler – Director – WW DSEDistinguished Engineer

© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF 2

Privacy in a Virtualized World

Network and Service Virtualization have transformed the IT industry Cloud Services Software Defined Networking

Security and privacy concerns are being expressed by many risk and security analysts

Regulatory compliance in a virtualized environment can be a difficult bar to reach

Examples are, PCI Compliance, HIPAA, Process flow and control (SCADA) environments, Video Surveillance


The Definition of a “Stealth” Network

Any network that is enclosed and self contained with no reachability into and/or out of it. It also must be mutable in both services and coverage characteristics

The common comparible terms used are MPLS IP-VPN, Routed Black Hole Network, IP VPN Lite

Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast and nimble private networking circuit based capabilities that are unparalleled in the industry

“Stealth” Networks are private ‘dark’ networks that are provided as services within the Fabric Connect cloud L2 Stealth

A non-IP addressed L2 VSN environment L3 Stealth

A L3 VSN IP VPN environment


Use Case Requirements for “Stealth” Networks

Networks that require isolation and security PCI compliance HIPAA compliance Financial Exchanges Video Surveillance (Unicast or Multicast) SCADA control networks

Networks that require Services Separation Multicast - particularly video surveillance Bonjour SCADA


PCI DSS Compliance RequirementsSee https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor- supplied defaults for system passwords and other security parameters

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

10.Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

12.Maintain a policy that addresses information security for employees and contractors

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf


A Few Words on PCI DSS v 3.0…

Over 100 new controls defined!!! Many are further clarifications on v 2.0

Main impacting changes Inventory of all systems within Card Holder Data Environment (CDE) Documented Card Holder data flows within CDE Detailed penetration testing requirements

Concerns over ‘weak’ segmentation Further detail on the role & obligations of third parties and service

providers Full network and data flow diagrams Penetration testing that ‘matches’ CDE as is deployed Incorporation of ‘business as usual’ PCI compliant processes and

policies Change management and audit – both technical and organizational https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf

https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf


PCI-DSS & PA-DSS

PCI-DSS deals with the whole end to end system implementation as it is deployed.

PA-DSS (Payment Application Security Standard) defines what a compliant application must support as it is designed.

PA-DSS is derived from PCI-DSS, defines handling of: Magnetic Stripe data Card Verification Codes & Values

CAV2,CID,CVC2,CVV2 PIN’s & PIN Blocks

PA-DSS compliance applies to ‘off the shelf’ payment applications Merchant or SP’s MUST certify ‘in-house’ applications!


About Network Segmentation…

While not strictly required for compliance, it is strongly recommended!

Network Segmentation can reduce: The scope of the PCI-DSS assessment The cost of the PCI-DSS assessment The cost and difficulty in maintaining systems compliance Major benefits of overall risk reduction in the systems model

All of this can be realized IF the network segmentation is secure and properly designed!

Proper design leads to consistency and modularity Allows for the streamlining of compliance by the use of sampling


What version 3.0 has to say about segmentation and CDE (Card Holder Data Environments)

CDE includes all people, processes and technology Validation on ‘where’ Card Holder Data exists

Trace processes and systems Develop flow diagrams of interacting systems & CHD

Develop documented penetration testing specific to the CDE ‘Hack Attack’ methodologies Ongoing evaluation of threats/vulnerabilities/risk

The more technologies involved in CDE the more penetration testing required! Fabric Connect used end to end eliminates most if not all other network technologies

Fabric Connect (IEEE 802.1aq) Can significantly reduce ACL requirements and enhance data flow validation!

Firewalls/IDS Servers/Storage and POS Authentication -> Identity Engines! Management applications!* * Important consideration to ‘lock down’ the

mgmnt. environment. If it manages a system in the CDE. It is part of the CDE!


Identity Engines & Fabric ConnectSupport for PCI Compliance – includes v 3.0 requirments!

There is no PCI ‘product’. Reports must be submitted to prove compliance. Identity aware networking systems can play a key role as one of the PCI

Enforcement Tools to ensure that the PCI audits will prove successful. Payment Card data should be segmented and access control should be used to

ensure only authorized resources have access to the Payment Card Data Network.

Control Objectives PCI DSS RequirementsBuild and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data 3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data11. Regularly test security systems and processes

Maintain an Information Security Policy 12. Maintain a policy that addresses information security

PCI Standards PCI Enforcement Tools PCI Validation Audit PCI Audit Report

(*) Supported by Identity Engines


Identity Management and the ‘Series of Gates’ Security Concept

EndUser

IdentityBroker(IDE)

Fabric Connect NetworkElements

SecureCDE

General Access challenge

PCI-DSS challengeGeneral Access

L3 VSNSecureAccessAuthentication

Access ONLY!


Anatomy of a Layer 3 Stealth Network (IP VPN)

A SPB I-SID that is associated with End VRF’s Multiple IP subnets – completely separate & private IP forwarding

environment Provides for a closed IP internet environment

VLANVLANI-SID

Secure L3 “Stealth” Network (IP VPN)Subnet A Subnet B

VRFVRF

Fabric Connect Cloud

http://www.youtube.com/watch?v=umR6u5VVdGU




Anatomy of a Layer 2 Stealth Network

A SPB I-SID that is associated with End VLAN’s No IP addresses assigned* Provides for a closed non-IP or single subnet IP based network Typically when used within the Data Center for PCI-DSS systems*

VLANVLANI-SID

Secure L2 “Stealth” Network

No IPNo IP


http://www.youtube.com/watch?v=pGSYmqAbjBU

http://www.youtube.com/watch?v=pGSYmqAbjBU


End-to-End Usage of Stealth networks for PCI-DSS Compliance – Example Topology

L3 VSN’s are used and terminated at the field service edge – Alternately ‘Stealth’ L2 VSN’s can also be used

‘Stealth’ L2 VSN’s are used within the Secure Data Center Identity Engines provides for access control and protection of the PCI-DSS

environment

VLANVLAN I-SID

Secure L3 “Stealth” Network (IP VPN)

Subnet A Subnet B

VRFVRF


FW/IDS

Secure L2 “Stealth” Networks

Core DistributionData Center

PCA-DSSApplication(Client)

IDE

PCA-DSSApplication(Server)

Secure Single Port


Fully Virtualized Security Perimeter

Data Center VRFs* *optional

Data Center Top of Rack

Secure L3 VSN

FabricConnect

Data Center 1 Data Center 2

VirtualizedSecurityPerimiter

Secure L2 VSNs

CoreNetwork

SecureData Center Firewalls

IDS/IPS

VLANsVLANsVLANs

Secure End User VLANSecure End User VLAN

VLAN

VLAN

VLAN

Other user VLANsOther user VLANs

IDE


Fully Virtualized Security Perimeter

Data Center VRFs* *optional

Data Center Top of Rack

FabricConnect

Data Center 1 Data Center 2

Secure L2 VSNs

CoreNetwork

SecureData Center

VLANsVLANs

Secure End User VLANSecure End User VLAN

VLAN

VLAN

VLAN

Other user VLANsOther user VLANsSecure L3 VSN

VLAN

VLAN

VLAN

VirtualizedSecurityPerimiter

Firewalls

IDS/IPSIDE IDE

Card Holder Data Environment


The scoop on Sampling…

Sampling allows for the ability to drastically reduce the overall complexity (and cost) of compliance

Requires consistency and modularity in order to provide for maximum return

Modules of the overall solution can be built and templated. Faithful reproduction is strictly required!

Can drastically reduce compliance costs and ongoing maintenance BEWARE! Small divergence in details CAN cause NON-

COMPLIANCE i.e. PA-DSS app. “A” on OS “1” is different from PA-DSS app. “A” on OS

“2” Or storage on FC is different from iSCSI or NAS

V 3.0 increases focus on end to end validation of CDE. Templates and consistency are more important than ever!

Penetration testing methods should be developed and documented


As per ‘Appendix D’… does not change in v3.0

Fabric Connectaddresses all segmentation requirements!


Modularity and Sampling Concept

VLANVLAN I-SID

Secure L3 “Stealth” Network (IP VPN)

Subnet A Subnet B

VRFVRF


FW/IDS

Secure L2 “Stealth” Networks

Core DistributionData Center

PCA-DSSApplication(Client)

IDE

PCA-DSSApplication(Server)

Secure Single Port

Remote site systemsApp/OSSwitch/Network

Network Distribution Systems

Firewall/IDSSecurity Demarcation

Data Center Systems

Compute Systems

Storage Systems


Validation requirements for Merchants

20

Network Scan SAQ Site Audit

MasterCard VISA Discover AMEX

6M

2.5M

1M

50K

Level 4 Level 1

#’s oftransactions

Quarterly external scan performed by ASV

Yearly self-assessment questionnaire

Yearly on-site assessment by QSA or ISA


Validation requirements for Service Providers

21

Network Scan SAQ Site Audit

MasterCard VISA Discover AMEX

2.5M

300K

50K

Level 4 Level 1

#’s oftransactions


PCI-DSS Compliance Design Checklist Terminate L3 VSN’s as close to the edge as possible

When it is not possible. Extend to edge with Secure “Stealth” L2 VSN’s off of the VRF*

When using Stealth L2 VSN’s terminate only POS end points to the security demarcation

Limit port membership into Security Demarcation points. Single port per endpoint ideally

Limit port memberships to ONLY point of sale endpoints IDE can provide for complete assurance of proper network placement and ID

Management of PA-DSS systems. Be sure to limit ONLY point of sale applications to the CDE Validate Firewall Security Policy Databases at ALL demarcations (TEST!) Any public Internet or Wireless usage will require encryption

MACsec can be used for Ethernet Trunk protection where required IPSec and SSL VPN can be used for secure remote VPN

Develop a detailed network diagram of how the CDE relates to the whole network topology with a focus on isolation methods Highlight Card Holder Data flow

* Multicast is NOT supported in this configuration


In Conclusion…

While IP Virtual Private Networks are nothing new, Avaya takes the concept to a new level with Fabric Connect

Flexible and nimble service extensions and nodal mutability lend itself to an incredibly mobile secure networking paradigm “Stealth” Networking – Fast, nimble and invisible

“Stealth” Networks can be used to facilitate traditional privacy concerns such a PCI and HIPAA compliance

Next generation private network requirements such as mobility for emergency response, military and/or field based operations

Avaya’s Fabric Connect can deliver all modes of secure private connectivity Layer 2 requirements Layer 3 requirements Mobile requirements

© 2014 Avaya Inc. Avaya – Confidential & ProprietaryDo not duplicate, publish or distribute further without the express written permission of Avaya. #AvayaATF#AvayaATF

Thank You!Ed Koehler You Tube Channel - https://www.youtube.com/channel/UCn8AhOZU3ZFQI-YWwUUWSJQBlog – http://edkoehler.wordpress.com/

https://www.youtube.com/channel/UCn8AhOZU3ZFQI-YWwUUWSJQ

https://www.youtube.com/channel/UCn8AhOZU3ZFQI-YWwUUWSJQ

http://edkoehler.wordpress.com/

http://edkoehler.wordpress.com/


BE SURE TO TWEET YOUR FEEDBACK ON THIS PRESENTATION

#AvayaATF

25

BEST OF ATF SPEAKER AND TEAM AWARD

Winners will be announced at closing of event

#AvayaATF

ed koehler – director – ww dse distinguished engineer

Documents

avaya fabric

pci dss

pcidss compliant network

pci compliance

stealth networking services

stealth networkany network

industrystealth networks

public services