“I’ll gladly sell you one session for the price of two… perhaps three”
I’ve been through audits, I’ve assisted in conducting audits, and I’ve been on the remediation end of audits. One common theme is that when the quotes start rolling in, the customer usually takes a beat down from the cost of hardware and support. Now, PCI is larger than just network components, but let’s just focus on some of those parts for now.
As a startup that has been growing and producing more and more credit card transactions, whether it be from online services or in person merchant purchases, has probably been working with bare minimum due diligence designs. There may not even be an official data center. As far as web based transactions, you may have some leased servers from company “x” running a LAMP stack, with haproxy/nginx and iptables. Maybe you are considering leasing space or building a small data center to migrate into with firewalls and load balancers making up part of the new design. You might as well start preparing now for the inevitable.
The company you bring in to do the audit should not just be there checking off boxes. They should be doing a pre-audit. This pre-audit is designed to help you accomplish the remediation aspects or “gaps” between being non compliant and compliancy. As you are making your way through some of pre-audit comments, you’ll probably see suggestions based on the diagram to the right.
I’d like to propose a challenge for those going through an audit or preparing for next year’s fire drill. Let’s supposed we expect 15 million sessions at any given time flowing through our load balancers. We have multiple pairs of load balancers in our DC which means we need really large firewalls too.
Have a look at the below terms and definitions as described by the PCI DSS glossary of terms. Can you come up wih an inexpensive solution for this design? We’ll talk about traffic flow and whether a network is considered in scope for audit purposes next post.
Hardware and/or software technology that protects network resources from unauthorized access. A firewall permits or denies computer traffic between networks with different security levels based upon a set of rules and other criteria.
Network established by an organization that uses private IP address space. Private networks are commonly designed as local area networks. Private network access from public networks should be properly protected with the use of firewalls and routers.
Also called “dynamic packet filtering.” Firewall capability that provides enhanced security by keeping track of the state of network connections. Programmed to distinguish legitimate packets for various connections, only packets matching an established connection will be permitted by the firewall; all others will be rejected.