PCI Compliance with Extreme Networks Switches

EXTREME NETWORKS SOLUTION BRIEF
PCI Compliance with
Extreme Networks
Switches
VLAN Segments
With security being a foremost concern for many customers
of Extreme Networks, satisfying the requirements made by
VLAN segmentation is a powerful technology that can be
the PCI standard can help customers to not only maintain
applied to networks that process cardholder data, and are used
PCI compliance, but remain secure more generally. Although
build dedicated VLAN’s for such networks in order to maintain
this whitepaper does not include an exhaustive treatment
separation from other network segments. This assists with PCI
of all aspects of PCI requirements, the 12 high-level PCI
requirements 1, 3, and 7.
requirements are listed below:
1. Install and maintain a firewall configuration to protect
Flow Data
cardholder data
A key aspect of PCI compliance is the need to track all access to
2. Do no use vendor-supplied defaults for system passwords
network resources and cardholder data under requirement 10.
and other security parameters
Because Extreme switches can produce flow data for individual
3. Protect stored cardholder data
network connections and sessions, the export of this data
4. Encrypt transmissions of cardholder data across open,
can function as a source of information for tracking access to
network resources. A comprehensive PCI compliance strategy
public networks
should leverage this data as a contributing audit trail for PCI
5. Use and regularly update anti-virus software or programs
requirement 10.
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need to know
Policy
8. Assign a unique ID to each person with computer access
PCI requirement 1 is explicit about the need for filtering
infrastructure to protect cardholder data. Although this
9. Restrict physical access to cardholder data
commonly implies the use of a firewall, the policy capabilities in
10.Track and monitor all access to network resources and
Extreme Networks switches can play a contributing role here.
cardholder data
Once a section of a network is designated as a place where
11. Regularly test security systems and processes
cardholder data is processed, switch policies can be deployed
12. Maintain a policy that addresses information security for all
networks that try to send network traffic through the cardholder
personnel
to ensure that inappropriate access is filtered to and from all
network. Any PCI compliance audit will establish whether such
There are several features and capabilities built directly into
filtering policies are in place across not only dedicated firewall
Extreme Networks switches that can be used to build PCI
devices, but also within switching infrastructure.
compliant networks. These capabilities include:
PCI Compliance with Extreme Networks Products – Solution Brief
1
802.1X User Authentication
Strong Admin Passwords
Extreme switches support per-port 802.1X authentication for
PCI requirement 2 is explicit about the need to deploy strong
users, and this is an important feature to help track users as they
non-default passwords for administrative functions. Although
try to gain access to network infrastructure. This feature helps to
there is no feature that guarantees the usage of a strong
satisfy PCI requirements 7 and 8 whenever Extreme switches are
password on a particular Extreme Networks switch, it is
powering networks in which cardholder data resides.
important that the local security policy mandate this for all
deployed switches. Adherence to this policy is critical for
MACSEC
satisfying PCI requirement 2.
In the second half of 2015, many Extreme Networks switch
models will support the MACSEC protocol to build strongly
Firmware Updates
encrypted point-to-point links on Ethernet networks. Although
Regular updates are made to Extreme switch firmware, and
most cardholder data is already encrypted during network
these updates sometimes fix security vulnerabilities or other
transit by SSL/TLS, in some situations there may be an
problems. Keeping switches updated with the latest firmware
opportunity to use Extreme Networks switches to help satisfy
helps to ensure that PCI requirement 6 is met. Extreme Networks
PCI requirement 4 through the use of MACSEC.
is committed to providing timely firmware updates for our
switching products, and this helps to give customers confidence
Secure Shell (SSH)
in the security posture of networks they deploy.
An industry standard method for providing a secure encrypted
administration interface to remote operating systems is
Secure Shell (SSH). Extreme Networks switches support SSH
for administrative functions, and enabling this is important to
help satisfy PCI requirements 2 and 6. For requirement 2, an
SSH client can be used to verify that easily guessable default
passwords are not used on deployed Extreme switches. For
requirement 6, any usage of a non-SSH administrative shell
interface (such as telnet) would be considered insecure.
Therefore, deploying SSH helps to achieve PCI compliance under
requirement 6.
http://www.extremenetworks.com/contact
Phone +1-408-579-2800
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc.
in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks
please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. 9570-051501
WWW.EXTREMENETWORKS.COM
PCI Compliance for Extreme Networks Switching Products – Solution Brief
2