EXTREME NETWORKS SOLUTION BRIEF PCI Compliance with Extreme Networks Switches VLAN Segments With security being a foremost concern for many customers of Extreme Networks, satisfying the requirements made by VLAN segmentation is a powerful technology that can be the PCI standard can help customers to not only maintain applied to networks that process cardholder data, and are used PCI compliance, but remain secure more generally. Although build dedicated VLAN’s for such networks in order to maintain this whitepaper does not include an exhaustive treatment separation from other network segments. This assists with PCI of all aspects of PCI requirements, the 12 high-level PCI requirements 1, 3, and 7. requirements are listed below: 1. Install and maintain a firewall configuration to protect Flow Data cardholder data A key aspect of PCI compliance is the need to track all access to 2. Do no use vendor-supplied defaults for system passwords network resources and cardholder data under requirement 10. and other security parameters Because Extreme switches can produce flow data for individual 3. Protect stored cardholder data network connections and sessions, the export of this data 4. Encrypt transmissions of cardholder data across open, can function as a source of information for tracking access to network resources. A comprehensive PCI compliance strategy public networks should leverage this data as a contributing audit trail for PCI 5. Use and regularly update anti-virus software or programs requirement 10. 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need to know Policy 8. Assign a unique ID to each person with computer access PCI requirement 1 is explicit about the need for filtering infrastructure to protect cardholder data. Although this 9. Restrict physical access to cardholder data commonly implies the use of a firewall, the policy capabilities in 10.Track and monitor all access to network resources and Extreme Networks switches can play a contributing role here. cardholder data Once a section of a network is designated as a place where 11. Regularly test security systems and processes cardholder data is processed, switch policies can be deployed 12. Maintain a policy that addresses information security for all networks that try to send network traffic through the cardholder personnel to ensure that inappropriate access is filtered to and from all network. Any PCI compliance audit will establish whether such There are several features and capabilities built directly into filtering policies are in place across not only dedicated firewall Extreme Networks switches that can be used to build PCI devices, but also within switching infrastructure. compliant networks. These capabilities include: PCI Compliance with Extreme Networks Products – Solution Brief 1 802.1X User Authentication Strong Admin Passwords Extreme switches support per-port 802.1X authentication for PCI requirement 2 is explicit about the need to deploy strong users, and this is an important feature to help track users as they non-default passwords for administrative functions. Although try to gain access to network infrastructure. This feature helps to there is no feature that guarantees the usage of a strong satisfy PCI requirements 7 and 8 whenever Extreme switches are password on a particular Extreme Networks switch, it is powering networks in which cardholder data resides. important that the local security policy mandate this for all deployed switches. Adherence to this policy is critical for MACSEC satisfying PCI requirement 2. In the second half of 2015, many Extreme Networks switch models will support the MACSEC protocol to build strongly Firmware Updates encrypted point-to-point links on Ethernet networks. Although Regular updates are made to Extreme switch firmware, and most cardholder data is already encrypted during network these updates sometimes fix security vulnerabilities or other transit by SSL/TLS, in some situations there may be an problems. Keeping switches updated with the latest firmware opportunity to use Extreme Networks switches to help satisfy helps to ensure that PCI requirement 6 is met. Extreme Networks PCI requirement 4 through the use of MACSEC. is committed to providing timely firmware updates for our switching products, and this helps to give customers confidence Secure Shell (SSH) in the security posture of networks they deploy. An industry standard method for providing a secure encrypted administration interface to remote operating systems is Secure Shell (SSH). Extreme Networks switches support SSH for administrative functions, and enabling this is important to help satisfy PCI requirements 2 and 6. For requirement 2, an SSH client can be used to verify that easily guessable default passwords are not used on deployed Extreme switches. For requirement 6, any usage of a non-SSH administrative shell interface (such as telnet) would be considered insecure. Therefore, deploying SSH helps to achieve PCI compliance under requirement 6. http://www.extremenetworks.com/contact Phone +1-408-579-2800 ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. 9570-051501 WWW.EXTREMENETWORKS.COM PCI Compliance for Extreme Networks Switching Products – Solution Brief 2
© Copyright 2024