Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 1
USE CASE: Simplify PCI Compliance With Network Segmentation
• Reduce the number of system components that must be maintained in compliance, both on a regular basis and whenever
the PCI requirements are updated.
• Reduce the number of system components and processes that must be periodically audited to demonstrate compliance.
• Reduce and simplify management of the policies, access control and threat prevention rules that apply to the CDE.
• Reduce troubleshooting and forensic analysis effort by narrowing the scope of related investigations.
• Greatly improve the organization’s ability to contain and limit the spread of threats.
Traditional Approaches
A flat network casts a wide scope of compliance. Organizations that do not to isolate their PCI devices, such as point-of-sale devices,
credit card-processing workstations and servers, typically face more challenges during their periodic PCI assessments compared to
those that segment PCI devices. Any network segment that processes or transmits unencrypted credit card information must meet
all PCI DSS requirements. In a flat, unsegmented network, the entire network is in scope for the PCI DSS.
VLANS were designed for traffic management, not security. Your Qualified Security Assessor (QSA) will likely agree that VLANs and
ACLs do not provide the necessary security controls to meet PCI requirements and are extremely difficult to manage at enterprise
scale. VLANs were designed for traffic management and, alone, are not capable of enforcing the control of privileged information.
Alternative security options, like legacy port-based firewalls, also fail in this regard because they are indiscriminate about the traffic
that’s allowed through and do not safely enable the actions of the users for a segment. For example, there is no way to determine
which applications are being used, which data is being accessed, or if specific users are allowed to be in a particular segment in the
first place.
It is not sufficient to merely meet PCI requirements. By its own admission, the PCI DSS provides “a baseline of technical and operational
requirements” for protecting cardholder data. Not only do the specified countermeasures represent a minimum standard of due care,
but also – as a result of the now three-year period between revisions – they often lag behind significant changes to the technology
and threat landscapes.
One self-acknowledged example of this situation is provided by the requirement to “deploy anti-virus software on all systems commonly
affected by malicious software (particularly personal computers and servers)” in PCI DSS section 5.1. In this case, the DSS explicitly
mentions the consideration of “additional anti-malware solutions … as a supplement to the anti-virus software” – presumably in
recognition of the poor track record such software has of stopping modern, polymorphic malware and zero-day exploits.
A second example comes from the requirement to “implement stateful inspection” technology as part of the solution to “prohibit direct
public access between the internet and any system component in the cardholder data environment” in PCI DSS section 1.3.6.
Commentary from Verizon® on this requirement says it all: “The DSS still specifies stateful-inspection firewalls, first launched in 1994.
As the threats to the CDE become more complex, these devices are less able to identify all unauthorized traffic and often get overloaded
with thousands of out-of-date rules. To address this, vendors are now offering ‘next generation’ firewalls that can validate the traffic
at layers 2 to 7, potentially allowing far greater levels of granularity in the rules.”4
Specific examples aside, the key point to realize here is that it’s typically
THREAT INTELLIGENCE
necessary – if not imperative – for security and compliance teams to go CLOUD
above and beyond the DSS requirements in order to establish a security
architecture that more effectively addresses modern/emerging threats
and more closely aligns with their organization’s tolerance for risk.
Description: CLOUD
K EN
to substantially reduce their attack surface, block all known threats with an
R
NATIVELY EXTENSIBLE
INTEGRATED
integral threat prevention engine, and quickly discover and protect against
unknown threats using the WildFire™ cloud-based threat analysis service.
Next-generation endpoint security capable of stopping unknown threats and NEXT-GENERATION ADVANCED ENDPOINT
automated coordination among the natively integrated solution components FIREWALL PROTECTION
complete the picture. The net result is a truly innovative platform that delivers
maximum protection for an organization’s entire computing environment Figure 1: Palo Alto Networks Next-Generation
while greatly reducing the need for costly human intervention and remediation. Security Platform
4. http://www.verizonenterprise.com/pcireport/2015/
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 2
USE CASE: Simplify PCI Compliance With Network Segmentation
e
ur
C
s ct
er ru
rv st
Se fra
t
In
en
s m
er p
rv elo
Se ev
s
on
D
ta r
ks se
ti
or U
W nd
E
s ct
se n
er ru
rv st
F
Se fra
In
rv elo
w lt
ks
et A
Se ev
N alo
D
P
e
on
IZ
C
P
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 3
USE CASE: Simplify PCI Compliance With Network Segmentation
Next-Generation Security Platform Helps Meet Did you know? Traps helps you fulfill two PCI requirements:
and Exceed Multiple Requirements
PCI DSS Requirement 5: Protect all systems against malware and
Reducing the scope of compliance with effective regularly update anti-virus software or programs.
network segmentation is only one way Palo Alto • Traps™ advanced endpoint protection is an innovative technology
Networks supports organizations in their efforts to that prevents exploits and malware, both known and unknown,
achieve PCI compliance. It also helps by addressing and exceeds the original PCI DSS requirement, resulting in a much
many of the individual requirements specified in the stronger security and c ompliance posture.
DSS, as detailed in Appendix 1.
PCI DSS Requirement 6: Develop and maintain secure systems and
Business Benefits of Exceeding PCI Compliance applications.
Using the Next-Generation Security Platform • Palo Alto N
etworks customers have reported that their PCI
Several examples have already been provided where QSA approved the use of Traps Exploits Prevention feature as
the Palo Alto Networks platform goes above and beyond a compensating control for systems that cannot be patched in
PCI DSS requirements to deliver the greater levels of a timely manner.
protection today’s organizations need, including:
• Reduced scope of compliance by isolating PCI devices. The next-generation firewall controls the flow of information within
the CDE zone based on the principle of least privilege to block/deny all users, applications and content except that which is
absolutely necessary.
• Reduced exposure to attack of networked systems from known/unknown attacks, malware and vulnerabilities. The Next-
Generation Firewall, Threat Intelligence Cloud and Advanced Endpoint Protection are natively integrated to ensure that threats
are quickly identified at all threat vectors into your network and stopped.
• Empower your security team with greater visibility. Native integration within the platform empowers your security team to
quickly identify the important data points that require attention.
Another way our approach delivers next-generation protection that exceeds
We Need Better Firewalls the DSS’s baseline requirements is by providing extensive information sharing
“One of the criticisms that we made of DSS 3.0 in and coordination among elements of the platform. For example, new protections
our 2014 report is that it still refers to stateful-in- developed from WildFire’s real-time threat intelligence are automatically
spection firewalls, a technology that most security distributed to our customers’ systems in as few as five minutes. The net
professionals consider outdated. Malware and result of natively integrated threat prevention capabilities is a closed-loop
hacker attacks that can bypass stateful-inspection architecture that delivers unparalleled threat response without the need
access controls have been common for nearly for manual and time-consuming interventions by an already overwhelmed
a decade. While other security standards have security team.
moved on, PCI DSS has not. […] Their ability to
monitor activity at the application level, deal with Architectural Vision
the explosive growth in the number of devices,
Architecture Considerations:
and block increasingly sophisticated threats make
next-generation firewalls a must-have.” As you plan your PCI segmentation strategy, it is important to understand
the types of devices that will be considered in scope versus out of scope for
– Verizon 2015 PCI Compliance Report PCI DSS compliance. The following are some examples of device types that
may exist in your environment:
POS PC: PCs or registers used as as points of sale Laptop/Office PC: Laptops used in departments
may be considered in scope. that do not process credit card numbers are
usually considered out of scope.
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 4
USE CASE: Simplify PCI Compliance With Network Segmentation
Reference Architecture
The PCI Reference Architecture below outlines recommended zones of isolation for merchants, regardless of the size of the organization.
Security zones are logical containers for physical interfaces, VLANs, IP address ranges or a combination thereof. The switch and
next-generation firewall icons in the diagram indicate the flexibility of using one, the other, or a combination of both types of devices
to enforce isolation all the way to the Ethernet jack, or access point.
ZONE: Voice
Next-Generation
Firewall
Router
Data Center/WAN
Implementation Overview
Products required:
• Next-Generation Firewall
• Threat Prevention Subscription
• WildFire Subscription
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 5
USE CASE: Simplify PCI Compliance With Network Segmentation
r
s e
er ld
rv ho
Se ard
C
e
ur
rs ce
s ct
se n
er ru
U ina
rv st
F
Se fra
In
t
en
s m
er p
or o
rv elo
w lt
ks
et A
Se ev
N alo
D
P
e
on
IZ
C
P
Figure 4: Segmented network with Palo Alto Networks isolates cardholder data
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 6
USE CASE: Simplify PCI Compliance With Network Segmentation
Figure 6 shows the options available when you select ‘Create a Zone.’ You need to associate the zone with at least one interface, and
select the Zone Protection Profile and Log Setting options. If you want to restrict or block access to the zone by IP ranges, you can
complete the ACL options on the right side.
Once you’ve created your PCI zone, you need to define rules to allow/block access to it. Figure 3 shows an example of how easy it
is for administrators to define straightforward rules to control access to zones.
• The first rule, titled “PCI,” allows users in the Users zone who are in the “Finance” Active Directory security group to access the
Oracle® application in the CC_Servers zone.
• The second rule blocks any other users from accessing the CC_Servers zone and logs them.
Figure 6: Two example rules to isolate and protect cardholder data in CC_Servers zone
Figure 7: Step-by-step screenshots showing creation of two rules to isolate and protect cardholder data in a PCI zone
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 7
USE CASE: Simplify PCI Compliance With Network Segmentation
Internal Zone
Non-POS PA-7050
Devices in L3 mode
VL9
0
VL90
PCI Zone
POS Devices VL170
Internet
Distribution Core Switches Edge PA-5050 Public Routers
0 Switches in L3 mode
17
VL
PA-7050
in L3 mode
The above diagram shows how an actual customer, a hospital, deployed next-generation firewalls to isolate point-of-sale devices
from the rest of their network and effectively reduce the scope of compliance to include only the devices within the PCI zone.
The customer architecture incorporates two redundant PA-7050s in Layer 3 mode hanging off a Cisco distribution switch. A PCI
zone is configured in the NGFW to include VL170, which contains all the POS devices. The customer used several other zones
to isolate various devices on their network, but for simplicity, we will only show the internal and PCI zones. The internal zone is
configured in the NGFW to include VL90, which is the primary internal network where non-POS devices connect. Traffic between
the internal and PCI zones is controlled by a PCI Security Policy defined in PAN-OS®.
Fueling Stations Amazon Web Services Virtual Private Cloud Customer Data Center
Customer’s clients with self-managed IT On Premise
GlobalProtect
Location 2 OSP
GP GP and VM-Series
NGFW in AWS Data collection servers
Windows PC
Central Gateway within customer data center
used to analyze diagnostic
info from OSPs
GlobalProtect
Location 3 OSP Gateway in AWS
Windows PC West Region
The above diagram shows how an actual customer, providing fuel management system monitoring services, deployed GlobalProtect
and VM-Series virtualized next-generation firewalls into Amazon® Web Services to prevent cardholder data from entering their own
network and, hence, removed their network from the scope of PCI.
The customer monitors underground tanks and lines at thousands of retail fuel stations across the U.S. Using advanced statistical
analysis and system diagnostics, the company ensures the accuracy of all consumption readings and proactively identifies tank
systems at risk of leaks, illegal siphoning, or other potentially hazardous situations. The customer installs remote data collection
devices on each fuel station’s local network. These devices are minimally configured network appliances called “on-site processors.”
The OSPs collect data from every dispenser, tank and line at the station and transmit it back to the customer’s data center for
analysis and reporting.
The customer architecture incorporates virtual GlobalProtect™ gateways in AWS® for geographical optimization (one for the East
region, one for the West) and a VM-Series NGFW to block threats and cardholder data from entering their network. By preventing
cardholder data from entering their own network, they excluded their data center from the scope of PCI compliance.
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 8
USE CASE: Simplify PCI Compliance With Network Segmentation
Technical Benefits
• Simplified security architecture
• Multiple integration options
facilitate ease of deployment
into any environment
Customer References:
“Palo Alto Networks provides exactly what CRHC was
looking for. While the o
riginal reason for looking at
Palo Alto Networks was PCI compliance – which has been
achieved – the benefits provided far exceed compliance.”
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 9
USE CASE: Simplify PCI Compliance With Network Segmentation
Appendix
PCI Security Requirements Supported by Palo Alto Networks Next-Generation Security Platform
The Next-Generation Security Platform supports many of the 300 individual requirements specified in the PCI DSS, as
itemized in the following tables.
Compliance Capabilities
NEXT-GEN
PCI DSS REQUIREMENT FIREWALL WILDFIRE TRAPS
Requirement 1:
Install and maintain a firewall configuration to protect cardholder data
Requirement 2:
Do not use vendor-supplied defaults for system passwords and other security
parameters
Requirement 3:
Protect stored cardholder data
Requirement 4:
Encrypt transmission of cardholder data across open, public networks
Requirement 5:
Protect all systems against malware and regularly update anti‐virus software or
programs
Requirement 6:
Develop and maintain secure systems and applications
Requirement 7:
Restrict access to cardholder data by business need to know
Requirement 8:
Identify and authenticate access to system components
Requirement 9:
Restrict physical access to cardholder data
Requirement 10:
Track and monitor all access to network resources and cardholder data
Requirement 11:
Regularly test security systems and processes
Requirement 12:
Maintain a security policy that addresses information security for
all personnel
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 10
USE CASE: Simplify PCI Compliance With Network Segmentation
PCI Security Requirements Supported by the Palo Alto Networks Next-Generation Security Platform
The Next-Generation Security Platform supports many of the 300 individual requirements specified in the PCI DSS, as itemized
in the following table.
SUPPORTED SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 1: 1.2, 1.2.1, 1.2.3, Palo Alto Networks portfolio of hardware and virtual next-generation
Install and maintain a firewall 1.3, 1.3.1, 1.3.2, firewalls enables definitive least-privileged access control (i.e., deny all
configuration to protect 1.3.3, 1.3.4, 1.3.5, applications, users and content except for that which is necessary) for
cardholder data 1.3.6, 1.3.7, 1.3.8 all networks involving cardholder data. Palo Alto Networks supports all
sub-requirements pertaining to DMZ implementations intended to
prohibit direct public access between the internet and any CDE system.
Requirement 3: n/a This requirement focuses on reducing the amount of cardholder data
Protect stored cardholder data stored and ensuring that stored data is appropriately masked and
encrypted. Encryption alone does not protect against malware that
scrapes the unencrypted cardholder data from memory. Traps prevents
exploits and malware from launching malicious code that would try to
compromise encryptions keys or cardholder data. If key management
processes do break down, Traps provides an effective compensating
control for PCI DSS Section 3.6.
Requirement 4: 4.1, 4.2 Standards-based IPsec VPNs are supported for secure site-to-site
Encrypt transmission of connectivity, while GlobalProtect delivers secure remote access for
cardholder data across individual users via either an TSL or IPsec-protected connection. With
open, public networks its unique application, user and content identification technologies, the
Palo Alto Networks platform is also able to thoroughly and reliably control
the use of potentially risky end-user messaging technologies (e.g., email,
instant messaging, and chat) down to the level of individual functions
(e.g., allow messages but disallow attachments and file transfers).
Requirement 5: n/a The Palo Alto Networks security platform includes advanced endpoint
Protect all systems against protection that provides a much-needed complement to legacy antivirus
malware and regularly update solutions that are largely incapable of providing protection against unknown
anti-virus software or programs malware, zero-day exploits, and advanced persistent threats (APTs).
Palo Alto Networks | Simplify PCI Compliance With Network Segmentation | Use Case 11
USE CASE: Simplify PCI Compliance With Network Segmentation
SUPPORTED
SUB-
PCI DSS REQUIREMENT REQUIREMENTS DESCRIPTION OF CAPABILITIES
Requirement 7: 7.2, 7.2.1, 7.2.3 Granular, policy-based control over applications, users and content,
Restrict access to cardholder regardless of the user’s device or location, enables organizations to
data by business need to know implement definitive, least-privileged access control that truly limits
access to cardholder data based on business “need to know,” with
“deny all” for everything else. Tight integration with Active Directory
and other identity stores, plus support for role-based access control,
enables enforcement of privileges assigned to individuals based on job
classification and function.
Requirement 8: 8.1, 8.1.1, 8.1.3, Native capabilities and tight integration with Active Directory and
Identify and authenticate 8.1.4, 8.1.6, 8.1.7, other identity stores support a wide range of authentication policies,
access to system components 8.1.8, 8.2, 8.2.1, including: use of unique user IDs, immediate revocation for terminated
8.2.3,8.2.4, 8.2.5, users, culling of inactive accounts, lockout after a specified number
8.3, 8.5, 8.6 of failed login attempts, lockout duration, idle session timeouts, and
password reset and minimum strength requirements. Support is also
provided for several forms of multi-factor authentication, including
tokens and smart cards.
Requirement 10: 10.1, 10.2, Palo Alto Networks Next-Generation Security Platform maintains extensive
Track and monitor all access 10.2.1, 10.2.2, logs/audit trails for WildFire, configurations, system changes, alarms,
to network resources and 10.2.3,10.2.4, traffic flows, threats, URL filtering, data filtering, and Host Information
cardholder data 10.2.5, 10.2.6, Profile matches. The solution also supports both daily and periodic
10.2.7, 10.3, 10.3.1, review of log data with both native, customizable reporting capabilities
10.3.2, 10.3.3, and the ability to write log data to a syslog server for archival and
10.3.4, 10.3.5, analysis by third-party solutions (including popular security event and
10.3.6, 10.4, 10.6, information management systems, such as Splunk®).
10.6.1, 10.6.2,
10.6.3,
Requirement 11: 11.4 Palo Alto Networks Next-Generation Security Platform fully inspects all
Regularly test security allowed communication sessions for threat identification and prevention.
systems and processes A single, unified threat engine delivers intrusion prevention, stream-based
antivirus prevention, and blocking of unapproved file types and data.
The cloud-based WildFire engine extends these capabilities further by
identifying and working in conjunction with on-premise components to
prevent unknown and targeted malware and exploits. The net result is
comprehensive protection from all types of threat in a single pass of traffic.
4401 Great America Parkway © 2017 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Santa Clara, CA 95054 Alto Networks. A list of our trademarks can be found at http://www.paloaltonetworks.
Main: +1.408.753.4000 com/company/trademarks.html. All other marks mentioned herein may be trademarks
Sales: +1.866.320.4788 of their respective companies. pci-compliance-with-network-segmentation-uc-061217
Support: +1.866.898.9087
www.paloaltonetworks.com