PCI Compliance with Extreme Networks Products
EXTREME NETWORKS SOLUTION BRIEF PCI Compliance with Extreme Networks Products PCI compliance has become a major concern for most and access points can assist with this requirement. Further, companies that deal with credit card transactions, and this defense-in-depth is an important concept in the security significantly impacts Extreme Networks customers. This world, so having multiple layers of defense is important. whitepaper is designed to show how products from Extreme That is, if an existing firewall fails to properly protect a Networks can assist customers achieve PCI compliance. First, a network then it is advantageous to have a second line of few facts about PCI: defense. This can be provided by our Policy capabilities. • The Payment Card Security Standard (PCI) is not a law, and by the credit card industry, and applies to any entity who In our products, users are required to supply admin has a merchant ID. passwords, so this generally meets the above requirement. • PCI defines a set of 12 high level security requirements that a merchant must meet in order to be PCI compliant. However, there are many other security settings for which a customer will need to provide strong values. These include things such as SNMP community strings, non-admin • Achieving PCI compliance can only be done by hiring an account passwords, wireless network credentials, and more. approved scanning vendor from a set of 40 such vendors 3.Protect stored cardholder data (see: https://www.pcisecuritystandards.org/approved_ companies_providers/approved_scanning_vendors.php). This requirement does not generally apply to Extreme • Scans must be done every 90 days in order to remain in Networks products. The reason is that we don’t have compliance. products that are used to store credit card data - such products would include card processing systems, websites • Merchants that are not PCI compliant, or those that fall with attached database storage, and the like. out of compliance, will face fines levied by the credit card companies against the that banks merchants deal with (and these fines are passed on to the merchant). 2.Do not use vendor-supplied defaults for system passwords and other security parameters is not enforced by any government agency. It was created 4.Encrypt transmission of cardholder data across open, public networks Because Extreme Networks is not in the business of PCI Requirements providing VPN or encryption implementations, this In order for a customer to remain PCI compliant, all 12 high requirement does not apply to our products for the most level PCI requirements must be met and verified by an part. A possible exception might be our wireless gear approved scanning vendor. The following is a listing of each which is commonly used to host browser communications PCI requirement along with a brief description of how Extreme which may contain cardholder data. In this case, wireless Networks products can apply: encryption protocols become important from our 1. Install and maintain a firewall configuration to protect cardholder data perspective even though such browser communications are likely already hardened with SSL/TLS. Wireless encryption protocols supported by our products include WEP, TKIP, This requirement primarily applies to dedicated firewall infrastructure, but because our wired and wireless systems implement a robust notion of network policy, our switches PCI Compliance with Extreme Networks Products – Solution Brief 1 9.Restrict physical access to cardholder data WPA, WPA2, WPA-PSK, WPA2-PSK, and AES. In general, weaker protocols like WEP, TKIP, and WPA should be This requirement largely deals with physical access control avoided in favor of stronger options such as WPA2-PSK. devices such as keycard readers, biometric door access, and 5.Use regularly updated anti-virus software or programs the like. Therefore, although Extreme Network products don’t generally apply, once again our NAC product can help Although anti-virus software does not apply to Extreme maintain an audit trail of user access by physical location. Networks switching (AV) products, our NAC product can This information may help to satisfy the requirement in the be used to enforce that client endpoint systems have eyes of an approved scanning vendor. updated anti-virus software installed. So, in this case we don’t build products on which AV needs to be installed, but we build a product that can assist a customer to achieve the requirement for other systems in their network. The specific NAC functionality that supports this scenario is the endpoint assessment feature that implements host quarantining if current AV software is not installed. 10.Track and monitor all access to network resources and cardholder data This is a broad requirement where multiple Extreme Networks products can apply. For example, NAC can provide an audit trail of network access by physical location, our network IDS/IPS can detect malicious activity and also 6.Develop and maintain secure systems and applications certain kinds of legitimate activity that can be useful for tracking purposes, and even flow data produced by our Of all the PCI requirements, this one is the most vague switches can assist a customer to achieve this requirement. and onerous at the same time. When a customer tries to 11.Regularly test security systems and processes achieve PCI compliance, this requirement will likely force them to expend more effort than any of the others. To PCI itself places a recurring 90-day scanning requirement meet this requirement, an approved scanning vendor will use automated scanning software (and potentially manual scanning techniques as well) such as Nessus, Nexpose, on customers, but this requirement is likely independent and in addition to this. That is, a customer should also deploy scanning software of their own in order to satisfy the or Qualys to audit all systems and applications that are requirement. Extreme Networks has encountered customers resident in the customer’s network. This may well turn that do this, and we regularly respond to vulnerability up vulnerability findings in Extreme Networks products findings that a customer may see in such results. which we may have to mitigate through configuration or 12. Maintain a policy that addresses information security for by providing a patch. In addition, in many cases, negative findings in a set of scanning results may be invalid but all personnel have to be addressed anyway. More material on this This requirement is largely something that a customer appears in the “Scanning Vendor Negotiations” section needs to satisfy independently of Extreme Networks, but later in this document. we can provide the actual infrastructure for maintaining such a policy. This can be accomplished through use of our 7.Restrict access to cardholder data by business switching (wired/wireless) infrastructure together with NAC need to know and leveraging policy. Although this requirement is not something for which Extreme Networks products provide direct solutions for, once again our policy capabilities may apply. For example, a Security Scans customer may not have internal firewalls that are designed PCI requirement #6 mandates that customers maintain to maintain policy between a network segment where secure systems and applications. It is the verification of this cardholder data exists vs. other parts of their network. In requirement that necessitates a large effort on the part of an this scenario, if they have an Extreme Networks switch (or approved scanning vendor as they run a series of scans across Access Point) in a position to apply policy then they can a customer’s network. The scanning results can be massive, likely meet the requirement. The key in this case is for the and require many hours to analyze and validate. Throughout customer to understand and define “business need to know” the scanning process there is a lot of subjectivity that creeps and then map access restrictions to this. 8.Assign a unique ID to each person with computer access into scanning results, and it is frequently even the case that the scanning results may be invalid for a given Extreme Networks product. In cases like this, it is important that Extreme Networks This is another requirement that is largely independent of be given the opportunity to negotiate with the approved where Extreme Networks products apply. However, our scanning vendor on why a vulnerability finding may be invalid. NAC product can provide user accountability by mapping For example, many scanners simply map vulnerabilities in users to devices used on the network, so this may help a products to version strings that are advertised in server banners customer achieve the requirement. and the like. But, sometimes the vulnerable code is not even resident in the product from Extreme Networks – such as when PCI Compliance with Extreme Networks Products – Solution Brief 2 References we build our own Linux kernel with a stripped down kernel config file. In this case, many vulnerabilities that would have The most important source for authoritative information about PCI otherwise made it into the product are simply not there despite is available in the PCI FAQ, a “Prioritized Approach to PCI”, and what version the kernel appears to be to a scanner. the listing of Approved Scanning Vendors as can be found below: Beyond the examination of scanning results from an approved scanning vendor another important aspect of the scanning cycle • PCI FAQ: https://www.pcicomplianceguide.org/pci-faqs-2/ is that Extreme Networks conducts scans of our own products • Prioritized Approach to PCI: https://www. with industry scanners such as Nessus, Nexpose, and Qualys. pcisecuritystandards.org/documents/Prioritized_Approach_ We use these scanning results in order to gain insight into what for_PCI_DSS_v3_.pdf an approved scanning vendor might see, and either proactively • PCI Approved Scanning Vendors: https://www. remediate issues with maintenance releases or patches to fix pcisecuritystandards.org/approved_companies_providers/ these problems, or anticipate false positives and understand approved_scanning_vendors.php why they are showing up. Further, many vulnerabilities are discovered by the security researcher community and reported to organizations like USCERT. Extreme Networks then receives information about these vulnerabilities before the public at large, and this can assist us to proactively fix security problems before they become a danger to our customer base. We tie USCERT notifications into our vulnerability response process which includes a rigorous set of response times for vulnerabilities based on severity. The severity of a vulnerability is defined by the CVSS score, which is an industry standard measure for how serious a given vulnerability is. The CVSS scoring system goes from 1-10, with 10 being the highest severity vulnerability. Our customer notification response times defined by the vulnerability response process are: 1 day for a CVSS score of 10, 3 days for a CVSS score from 7-9, one week for a CVSS score of 4-6, and low severity vulnerabilities are governed by SQA and the CR process. Summary PCI is a critical industry standard for many Extreme Networks customers, and we are likely to see a continued uptick in the need for real solutions in this area. Although there is no certification that Extreme Networks can acquire in order to prove that our products are PCI compliant, we can assist customers in deploying our technology in a manner that is PCI compliant. The benchmark for this is measuring Extreme Networks products against each of the twelve major PCI requirements. Given that PCI compliance can only be achieved by a customer with an approved scanning vendor, it becomes important for Extreme Networks to be adept at responding to scanning results, and fortunately we are already scanning our products internally in order to have a proactive vision into the scanning process. http://www.extremenetworks.com/contact Phone +1-408-579-2800 ©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. 9420-031531 WWW.EXTREMENETWORKS.COM PCI Compliance with Extreme Networks Products – Solution Brief 3
© Copyright 2024