Download   Report
  1. No category

PCI Compliance with Extreme Networks Products

EXTREME NETWORKS SOLUTION BRIEF
PCI Compliance with
Extreme Networks
Products
PCI compliance has become a major concern for most
and access points can assist with this requirement. Further,
companies that deal with credit card transactions, and this
defense-in-depth is an important concept in the security
significantly impacts Extreme Networks customers. This
world, so having multiple layers of defense is important.
whitepaper is designed to show how products from Extreme
That is, if an existing firewall fails to properly protect a
Networks can assist customers achieve PCI compliance. First, a
network then it is advantageous to have a second line of
few facts about PCI:
defense. This can be provided by our Policy capabilities.
• The Payment Card Security Standard (PCI) is not a law, and
by the credit card industry, and applies to any entity who
In our products, users are required to supply admin
has a merchant ID.
passwords, so this generally meets the above requirement.
• PCI defines a set of 12 high level security requirements that a
merchant must meet in order to be PCI compliant.
However, there are many other security settings for which a
customer will need to provide strong values. These include
things such as SNMP community strings, non-admin
• Achieving PCI compliance can only be done by hiring an
account passwords, wireless network credentials, and more.
approved scanning vendor from a set of 40 such vendors
3.Protect stored cardholder data
(see: https://www.pcisecuritystandards.org/approved_
companies_providers/approved_scanning_vendors.php).
This requirement does not generally apply to Extreme
• Scans must be done every 90 days in order to remain in
Networks products. The reason is that we don’t have
compliance.
products that are used to store credit card data - such
products would include card processing systems, websites
• Merchants that are not PCI compliant, or those that fall
with attached database storage, and the like.
out of compliance, will face fines levied by the credit card
companies against the that banks merchants deal with (and
these fines are passed on to the merchant).
2.Do not use vendor-supplied defaults for system
passwords and other security parameters
is not enforced by any government agency. It was created
4.Encrypt transmission of cardholder data across open,
public networks
Because Extreme Networks is not in the business of
PCI Requirements
providing VPN or encryption implementations, this
In order for a customer to remain PCI compliant, all 12 high
requirement does not apply to our products for the most
level PCI requirements must be met and verified by an
part. A possible exception might be our wireless gear
approved scanning vendor. The following is a listing of each
which is commonly used to host browser communications
PCI requirement along with a brief description of how Extreme
which may contain cardholder data. In this case, wireless
Networks products can apply:
encryption protocols become important from our
1. Install and maintain a firewall configuration to protect
cardholder data
perspective even though such browser communications are
likely already hardened with SSL/TLS. Wireless encryption
protocols supported by our products include WEP, TKIP,
This requirement primarily applies to dedicated firewall
infrastructure, but because our wired and wireless systems
implement a robust notion of network policy, our switches
PCI Compliance with Extreme Networks Products – Solution Brief
1
9.Restrict physical access to cardholder data
WPA, WPA2, WPA-PSK, WPA2-PSK, and AES. In general,
weaker protocols like WEP, TKIP, and WPA should be
This requirement largely deals with physical access control
avoided in favor of stronger options such as WPA2-PSK.
devices such as keycard readers, biometric door access, and
5.Use regularly updated anti-virus software or programs
the like. Therefore, although Extreme Network products
don’t generally apply, once again our NAC product can help
Although anti-virus software does not apply to Extreme
maintain an audit trail of user access by physical location.
Networks switching (AV) products, our NAC product can
This information may help to satisfy the requirement in the
be used to enforce that client endpoint systems have
eyes of an approved scanning vendor.
updated anti-virus software installed. So, in this case we
don’t build products on which AV needs to be installed, but
we build a product that can assist a customer to achieve the
requirement for other systems in their network. The specific
NAC functionality that supports this scenario is the endpoint assessment feature that implements host quarantining
if current AV software is not installed.
10.Track and monitor all access to network resources and
cardholder data
This is a broad requirement where multiple Extreme
Networks products can apply. For example, NAC can
provide an audit trail of network access by physical location,
our network IDS/IPS can detect malicious activity and also
6.Develop and maintain secure systems and applications
certain kinds of legitimate activity that can be useful for
tracking purposes, and even flow data produced by our
Of all the PCI requirements, this one is the most vague
switches can assist a customer to achieve this requirement.
and onerous at the same time. When a customer tries to
11.Regularly test security systems and processes
achieve PCI compliance, this requirement will likely force
them to expend more effort than any of the others. To
PCI itself places a recurring 90-day scanning requirement
meet this requirement, an approved scanning vendor will
use automated scanning software (and potentially manual
scanning techniques as well) such as Nessus, Nexpose,
on customers, but this requirement is likely independent
and in addition to this. That is, a customer should also
deploy scanning software of their own in order to satisfy the
or Qualys to audit all systems and applications that are
requirement. Extreme Networks has encountered customers
resident in the customer’s network. This may well turn
that do this, and we regularly respond to vulnerability
up vulnerability findings in Extreme Networks products
findings that a customer may see in such results.
which we may have to mitigate through configuration or
12. Maintain a policy that addresses information security for
by providing a patch. In addition, in many cases, negative
findings in a set of scanning results may be invalid but
all personnel
have to be addressed anyway. More material on this
This requirement is largely something that a customer
appears in the “Scanning Vendor Negotiations” section
needs to satisfy independently of Extreme Networks, but
later in this document.
we can provide the actual infrastructure for maintaining
such a policy. This can be accomplished through use of our
7.Restrict access to cardholder data by business
switching (wired/wireless) infrastructure together with NAC
need to know
and leveraging policy.
Although this requirement is not something for which
Extreme Networks products provide direct solutions for,
once again our policy capabilities may apply. For example, a
Security Scans
customer may not have internal firewalls that are designed
PCI requirement #6 mandates that customers maintain
to maintain policy between a network segment where
secure systems and applications. It is the verification of this
cardholder data exists vs. other parts of their network. In
requirement that necessitates a large effort on the part of an
this scenario, if they have an Extreme Networks switch (or
approved scanning vendor as they run a series of scans across
Access Point) in a position to apply policy then they can
a customer’s network. The scanning results can be massive,
likely meet the requirement. The key in this case is for the
and require many hours to analyze and validate. Throughout
customer to understand and define “business need to know”
the scanning process there is a lot of subjectivity that creeps
and then map access restrictions to this.
8.Assign a unique ID to each person with computer access
into scanning results, and it is frequently even the case that the
scanning results may be invalid for a given Extreme Networks
product. In cases like this, it is important that Extreme Networks
This is another requirement that is largely independent of
be given the opportunity to negotiate with the approved
where Extreme Networks products apply. However, our
scanning vendor on why a vulnerability finding may be invalid.
NAC product can provide user accountability by mapping
For example, many scanners simply map vulnerabilities in
users to devices used on the network, so this may help a
products to version strings that are advertised in server banners
customer achieve the requirement.
and the like. But, sometimes the vulnerable code is not even
resident in the product from Extreme Networks – such as when
PCI Compliance with Extreme Networks Products – Solution Brief
2
References
we build our own Linux kernel with a stripped down kernel
config file. In this case, many vulnerabilities that would have
The most important source for authoritative information about PCI
otherwise made it into the product are simply not there despite
is available in the PCI FAQ, a “Prioritized Approach to PCI”, and
what version the kernel appears to be to a scanner.
the listing of Approved Scanning Vendors as can be found below:
Beyond the examination of scanning results from an approved
scanning vendor another important aspect of the scanning cycle
• PCI FAQ: https://www.pcicomplianceguide.org/pci-faqs-2/
is that Extreme Networks conducts scans of our own products
• Prioritized Approach to PCI: https://www.
with industry scanners such as Nessus, Nexpose, and Qualys.
pcisecuritystandards.org/documents/Prioritized_Approach_
We use these scanning results in order to gain insight into what
for_PCI_DSS_v3_.pdf
an approved scanning vendor might see, and either proactively
• PCI Approved Scanning Vendors: https://www.
remediate issues with maintenance releases or patches to fix
pcisecuritystandards.org/approved_companies_providers/
these problems, or anticipate false positives and understand
approved_scanning_vendors.php
why they are showing up. Further, many vulnerabilities are
discovered by the security researcher community and reported
to organizations like USCERT. Extreme Networks then receives
information about these vulnerabilities before the public at large,
and this can assist us to proactively fix security problems before
they become a danger to our customer base. We tie USCERT
notifications into our vulnerability response process which
includes a rigorous set of response times for vulnerabilities
based on severity. The severity of a vulnerability is defined by
the CVSS score, which is an industry standard measure for how
serious a given vulnerability is. The CVSS scoring system goes
from 1-10, with 10 being the highest severity vulnerability. Our
customer notification response times defined by the vulnerability
response process are: 1 day for a CVSS score of 10, 3 days for a
CVSS score from 7-9, one week for a CVSS score of 4-6, and low
severity vulnerabilities are governed by SQA and the CR process.
Summary
PCI is a critical industry standard for many Extreme Networks
customers, and we are likely to see a continued uptick in
the need for real solutions in this area. Although there is no
certification that Extreme Networks can acquire in order to
prove that our products are PCI compliant, we can assist
customers in deploying our technology in a manner that is
PCI compliant. The benchmark for this is measuring Extreme
Networks products against each of the twelve major PCI
requirements. Given that PCI compliance can only be achieved
by a customer with an approved scanning vendor, it becomes
important for Extreme Networks to be adept at responding to
scanning results, and fortunately we are already scanning our
products internally in order to have a proactive vision into the
scanning process.
http://www.extremenetworks.com/contact
Phone +1-408-579-2800
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc.
in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme Networks Trademarks
please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice. 9420-031531
WWW.EXTREMENETWORKS.COM
PCI Compliance with Extreme Networks Products – Solution Brief
3
Electricity interconnection South Eastern Europe

Electricity interconnection South Eastern Europe

Services for PCI DSS Compliance - Innovation Network Technologies

Services for PCI DSS Compliance - Innovation Network Technologies

Setting Up Switches and Scan Rate

Setting Up Switches and Scan Rate

PCI DSS 3.0 Compliance

PCI DSS 3.0 Compliance

AUTOMATED PAY-BY-PHONE 1-800-780-6486 ext 105 Introducing...

AUTOMATED PAY-BY-PHONE 1-800-780-6486 ext 105 Introducing...

Document 246930

Document 246930

PCI DSS Certificate of Compliance 98D8-2ABF-6DE5

PCI DSS Certificate of Compliance 98D8-2ABF-6DE5

Boyd Boys PC Summer Conditioning Flier

Boyd Boys PC Summer Conditioning Flier

Vulnerability Management Flyer

Vulnerability Management Flyer

Decodio - Critical Communications World

Decodio - Critical Communications World

abcdocz.com

© Copyright 2024