March 25 – 27th, 2014 І Orlando, FL
Designing and Implementing a PCI-DSS
Compliant Network using ‘Stealth’
Networks with Avaya Fabric Connect
Ed Koehler – Director
Distinguished CSE
©©2014
2014Avaya
AvayaInc.
Inc.Avaya
Avaya– –Confidential
Confidential& &Proprietary
Proprietary
DoDo
not
not
duplicate,
duplicate,
publish
publish
oror
distribute
distribute
further
further
without
without
the
the
express
express
written
written
permission
permission
of of
Avaya.
Avaya.
#AvayaATF
#AvayaATF
Privacy in a Virtualized World
 Network and Service Virtualization have transformed the
IT industry
 Cloud Services
 Software Defined Networking
 Security and privacy concerns are being expressed by
many risk and security analysts
 Regulatory compliance in a virtualized environment can
be a difficult bar to reach
 Examples are, PCI Compliance, HIPAA, Process flow
and control (SCADA) environments, Video Surveillance
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
2
The Definition of a “Stealth” Network
 Any network that is enclosed and self contained with no reachability
into and/or out of it. It also must be mutable in both services and
coverage characteristics
 The common comparible terms used are MPLS IP-VPN, Routed
Black Hole Network, IP VPN Lite
 Avaya’s Fabric Connect based on IEEE 802.1aq provides for fast
and nimble private networking circuit based capabilities that are
unparalleled in the industry
 “Stealth” Networks are private ‘dark’ networks that are provided as
services within the Fabric Connect cloud
 L2 Stealth
 A non-IP addressed L2 VSN environment
 L3 Stealth
 A L3 VSN IP VPN environment
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
3
Use Case Requirements for “Stealth” Networks
 Networks that require isolation and security





PCI compliance
HIPAA compliance
Financial Exchanges
Video Surveillance (Unicast or Multicast)
SCADA control networks
 Networks that require Services Separation
 Multicast - particularly video surveillance
 Bonjour
 SCADA
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
4
PCI DSS Compliance Requirements
See https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor- supplied defaults for system passwords and other
security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and
contractors
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
5
A Few Words on PCI DSS v 3.0…
 Over 100 new controls defined!!!
 Many are further clarifications on v 2.0
 Main impacting changes
 Inventory of all systems within Card Holder Data Environment (CDE)
 Documented Card Holder data flows within CDE
 Detailed penetration testing requirements
 Concerns over ‘weak’ segmentation
 Further detail on the role & obligations of third parties and service
providers
 Full network and data flow diagrams
 Penetration testing that ‘matches’ CDE as is deployed
 Incorporation of ‘business as usual’ PCI compliant processes and
policies
 Change management and audit – both technical and organizational
 https://www.pcisecuritystandards.org/documents/PCI_DSS_v3.pdf
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
6
PCI-DSS & PA-DSS
 PCI-DSS deals with the whole end to end system implementation as
it is deployed.
 PA-DSS (Payment Application Security Standard) defines what a
compliant application must support as it is designed.
 PA-DSS is derived from PCI-DSS, defines handling of:
 Magnetic Stripe data
 Card Verification Codes & Values
 CAV2,CID,CVC2,CVV2
 PIN’s & PIN Blocks
 PA-DSS compliance applies to ‘off the shelf’ payment applications
 Merchant or SP’s MUST certify ‘in-house’ applications!
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
7
About Network Segmentation…
 While not strictly required for compliance, it is strongly
recommended!
 Network Segmentation can reduce:




The scope of the PCI-DSS assessment
The cost of the PCI-DSS assessment
The cost and difficulty in maintaining systems compliance
Major benefits of overall risk reduction in the systems model
 All of this can be realized IF the network segmentation is secure and
properly designed!
 Proper design leads to consistency and modularity
 Allows for the streamlining of compliance by the use of sampling
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
8
What version 3.0 has to say about segmentation and CDE
(Card Holder Data Environments)
 CDE includes all people, processes and technology
 Validation on ‘where’ Card Holder Data exists


Trace processes and systems
Develop flow diagrams of interacting systems & CHD
 Develop documented penetration testing specific to the CDE


‘Hack Attack’ methodologies
Ongoing evaluation of threats/vulnerabilities/risk
 The more technologies involved in CDE the more penetration testing required!

Fabric Connect used end to end eliminates most if not all other network technologies
 Fabric Connect (IEEE 802.1aq)
 Can significantly reduce ACL requirements and enhance data flow validation!
 Firewalls/IDS
 Servers/Storage and POS
 Authentication -> Identity Engines!
 Management applications!* * Important consideration to ‘lock down’ the
mgmnt. environment. If it manages a system in the CDE. It is part of the CDE!
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
9
Identity Engines & Fabric Connect
Support for PCI Compliance – includes v 3.0 requirments!
 There is no PCI ‘product’. Reports must be submitted to prove compliance.
 Identity aware networking systems can play a key role as one of the PCI
Enforcement Tools to ensure that the PCI audits will prove successful.
 Payment Card data should be segmented and access control should be used to
ensure only authorized resources have access to the Payment Card Data
Network.
PCI Standards
PCI Enforcement
Tools
Control Objectives
Build and Maintain a Secure
Network
Protect Cardholder Data
Maintain a Vulnerability
Management Program
Implement Strong Access
Control Measures
Regularly Monitor and Test
Networks
Maintain an Information
Security Policy
PCI Validation
Audit
PCI Audit
Report
PCI DSS Requirements
1.
Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software on all systems commonly affected by malware
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security
(*) Supported by Identity Engines
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
10
Identity Management and
the ‘Series of Gates’ Security Concept
End
User
Identity
Broker
(IDE)
Fabric Connect
Network
Elements
Secure
PA-DSS Application
General Access
challenge
General Access
PCI-DSS challenge
L3 VSN
Secure
Access
Authentication
Access
ONLY!
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
11
Anatomy of a Layer 3 Stealth Network (IP VPN)
 A SPB I-SID that is associated with End VRF’s
 Multiple IP subnets – completely separate & private
environment
 Provides for a closed IP internet environment
IP forwarding
Fabric Connect Cloud
VRF
I-SID
VLAN
Subnet A
VRF
Secure L3 “Stealth” Network (IP VPN)
VLAN
Subnet B
http://www.youtube.com/watch?v=umR6u5VVdGU
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
12
Anatomy of a Layer 2 Stealth Network




A SPB I-SID that is associated with End VLAN’s
No IP addresses assigned*
Provides for a closed non-IP or single subnet IP based network
Typically when used within the Data Center for PCI-DSS systems (IP
addresses can be used behind security perimeter*)
No IP
No IP
Fabric Connect Cloud
I-SID
VLAN
VLAN
Secure L2 “Stealth” Network
http://www.youtube.com/watch?v=pGSYmqAbjBU
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
13
End-to-End Usage of Stealth networks
for PCI-DSS Compliance – Example Topology
 L3 VSN’s are used and terminated at the field service edge – Alternately
‘Stealth’ L2 VSN’s can also be used
 ‘Stealth’ L2 VSN’s are used within the Secure Data Center
 Identity Engines provides for access control and protection of the PCI-DSS
environment
Secure Single Port
PCA-DSS
Application
Data Center
(Server)
Fabric Connect Cloud
VRF
VLAN
FW/IDS
Subnet A
Secure L2
“Stealth” Networks
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
IDE
#AvayaATF
I-SID
Core Distribution
PCA-DSS
Application
(Client)
VRF
Secure L3 “Stealth”
Network (IP VPN)
VLAN
Subnet B
14
Fully Virtualized Security Perimeter
Data Center Top of Rack
VLANs
Secure L2 VSNs
VLANs
Data Center 1
Secure
Data Center
VLAN
IDE
Core
Network
Data Center VRFs*
*optional
Firewalls
VLAN
IDS/IPS
VLAN
Other user VLANs
Secure L3 VSN
Secure End User VLAN
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
VLANs
Virtualized
Security
Perimiter
Data Center 2
Fabric
Connect
Other user VLANs
Secure End User VLAN
#AvayaATF
15
Fully Virtualized Security Perimeter
Data Center Top of Rack
Secure L2 VSNs
VLANs
VLANs
Fabric
Connect
Data Center 1
Secure
Data Center
Core
Network
VLAN
VLAN
VLAN
Other user VLANs
Data Center VRFs*
*optional
VLAN
Virtualized
Security
Perimiter
IDE
IDE
Secure L3 VSN
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
Firewalls
VLAN
IDS/IPS
Card Holder
Data Environment
Secure End User VLAN
Data Center 2
VLAN
Other user VLANs
Secure End User VLAN
#AvayaATF
16
The scoop on Sampling…
 Sampling allows for the ability to drastically reduce the overall
complexity (and cost) of compliance
 Requires consistency and modularity in order to provide for
maximum return
 Modules of the overall solution can be built and templated. Faithful
reproduction is strictly required!
 Can drastically reduce compliance costs and ongoing maintenance
 BEWARE! Small divergence in details CAN cause NONCOMPLIANCE
 i.e. PA-DSS app. “A” on OS “1” is different from PA-DSS app. “A” on OS
“2”
 Or storage on FC is different from iSCSI or NAS
 V 3.0 increases focus on end to end validation of CDE. Templates
and consistency are more important than ever!
 Penetration testing methods should be developed and documented
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
17
As per ‘Appendix D’… does not change in v3.0
Fabric Connect
addresses all
segmentation
requirements!
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
18
Modularity and Sampling Concept
Data Center Systems
Storage
Systems
Compute
Systems
Firewall/IDS
Security
Demarcation
Remote site systems
App/OS
Switch/Network
Secure Single Port
PCA-DSS
Application
Data Center
(Server)
Fabric Connect Cloud
VRF
VLAN
Network
Distribution
Systems
FW/IDS
Subnet A
Secure L2
“Stealth” Networks
Do not duplicate, publish or distribute further without the express written permission of Avaya.
VRF
VLAN
Subnet B
IDE
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
I-SID
Core Distribution
PCA-DSS
Application
(Client)
Secure L3 “Stealth”
Network (IP VPN)
#AvayaATF
19
PCI-DSS Compliance Design Checklist
 Terminate L3 VSN’s as close to the edge as possible
 When it is not possible. Extend to edge with Secure “Stealth” L2 VSN’s off of the
VRF*
 Limit port membership into Security Demarcation points.
 Single port ideally
 Limit port memberships to ONLY PA-DSS endpoints
 IDE can provide for complete assurance of proper network placement and ID
Management of PA-DSS systems.
 Be sure to limit ONLY PA-DSS applications to the Dark Horse environment
 Validate Firewall Security Policy Databases (TEST!)
 Any public Internet or Wireless usage will require encryption
 MACsec can be used for Ethernet Trunk protection where required
 IPSec and SSL VPN can be used for secure remote VPN
 Develop a detailed network diagram of how the CDE relates to the whole
network topology with a focus on isolation methods
 Highlight Card Holder Data flow
* Multicast is NOT supported in this configuration
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
20
In Conclusion…
 While IP Virtual Private Networks are nothing new, Avaya takes the
concept to a new level with Fabric Connect
 Flexible and nimble service extensions and nodal mutability lend
itself to an incredibly mobile secure networking paradigm
 “Stealth” Networking – Fast, nimble and invisible
 “Stealth” Networks can be used to facilitate traditional privacy
concerns such a PCI and HIPAA compliance
 Next generation private network requirements such as mobility for
emergency response, military and/or field based operations
 Avaya’s Fabric Connect can deliver all modes of secure private
connectivity
 Layer 2 requirements
 Layer 3 requirements
 Mobile requirements
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
21
Ed Koehler
You Tube Channel https://www.youtube.com/channel/UC
n8AhOZU3ZFQI-YWwUUWSJQ
Blog –
http://edkoehler.wordpress.com/
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
#AvayaATF
BEST OF ATF
SPEAKER AND TEAM AWARD
BE SURE TO
TWEET YOUR FEEDBACK
ON THIS PRESENTATION
#AvayaATF
Winners will be announced at closing of event
© 2014 Avaya Inc. Avaya – Confidential & Proprietary
Do not duplicate, publish or distribute further without the express written permission of Avaya.
#AvayaATF
23
#AvayaATF