You are on page 1of 56

Self-Defending Network

Support for PCI

BRKSEC-2008

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 2

© 2006, Cisco Systems, Inc. All rights reserved. 1
Presentation_ID.scr
Session Description

This session discusses the Payment Card Industry (PCI)
Data Security Standard, and how you use the network to
help achieve PCI Compliance.
We will cover the remote location, e-commerce sites,
main campus, data center, and the network management
for PCI. We will use the Cisco PCI Validated Architecture
Solutions as a reference.

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 3

Agenda

ƒ Session Objectives
ƒ Compliance and PCI Overview
ƒ Applying the Network toward PCI Compliance
ƒ Key Takeaways
ƒ Q and A

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 4

© 2006, Cisco Systems, Inc. All rights reserved. 2
Presentation_ID.scr
Session Objectives

At the end of the session, you should be able to:
ƒ Understand the 12 PCI Requirements
ƒ Gain knowledge of where PCI applies within your company
ƒ Apply technologies to help achieve PCI compliance

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 5

PCI Defined
and Updates

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 6

© 2006, Cisco Systems, Inc. All rights reserved. 3
Presentation_ID.scr
The PCI Data Security Standard

ƒ Published January 2005,
version 1.1 released
September 7, 2006
ƒ Impacts all who
Process
Transmit
Store: Cardholder data Payment Card Industry Data
Security Standard
ƒ PCI Security Standards January 2005
Council maintains the
standard and certifications
http://www.pcisecuritystandards.org

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 7

PCI Industry Updates
ƒ US Level 1 Merchants Deadline was September 30, 2007:
77% are compliant
364 Level 1 Merchants (38 were given September 30, 2008 extension)

ƒ US Level 2 Merchant Deadline was December 31, 2007:
62% are compliant
1011 Level 2 Merchants (302 were given December 30, 2008 extension)

ƒ Europe Merchants: 2008 deadline
ƒ Asia Merchants: 2009 deadline
ƒ US Impact of non-compliance
Level 1 merchants: $25,000–$100,000 per month fine,
and will increase over time
Level 2 merchants: $5,000–$25,000 per month fine

Source: VISA January 2008
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 8

© 2006, Cisco Systems, Inc. All rights reserved. 4
Presentation_ID.scr
PCI Standards Update
ƒ New PCI Self-Assessment Questionnaires
(SAQ) release
One SAQ ¼ four SAQs to reach more merchants
ƒ PCI DSS version 1.2 coming October 2008
ƒ Two Information Supplements released April 22, 2008
11.3 Penetration testing
6.6 Web Application Firewall
ƒ List of Qualified Security Assessors (QSA) continuously
updated
ƒ List of Approved Scan Vendors (ASV) continuously
updated

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 9

VISA PCI Categories –
US Merchants
Category Criteria Requirement
More Than Six Million Visa/
Annual Onsite PCI Data
MasterCard/American Express/
Security Assessment
Level 1 Discover Transactions per Year
Merchants Any Merchant that Has Suffered a
Hack or an Attack that Resulted in Quarterly Network Scan
an Account Data Compromise

Level 2 One Million to Six Million Transactions Quarterly Network Scan
Merchants per Year Annual Self-Assessment

Level 3 20,000 to One Million e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Level 4 Less Than 20,000 e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Source:
http://usa.visa.com/merchants/risk_management/cisp_merchants.html?it=c|/merchants/risk_manage
ment/cisp.html|Defining%20Your%20Merchant%20Level#anchor_2
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 10

© 2006, Cisco Systems, Inc. All rights reserved. 5
Presentation_ID.scr
VISA PCI Categories -
Canadian Merchants
Category Criteria Requirement
More than Six Million Visa/
Annual Onsite PCI Data
MasterCard/American Express/
Security Assessment
Level 1 Discover Transactions per Year
Merchants Any Merchant that Has Suffered a
Hack or an Attack that Resulted in Quarterly Network Scan
an Account Data Compromise

Level 2 150,000 to Six Million e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Level 3 20,000 to 150,000 e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Level 4A One Million to Six Million Transactions Quarterly Network Scan
Merchants per Year Annual Self-Assessment

Level 4A Less than 20,000 e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Source: http://www.visa.ca/en/merchant/fraudprevention/ais/merchlevels.cfm
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 11

VISA PCI Categories -
Europe Merchants
Category Criteria Requirement

Annual Onsite PCI Data
Processed > 6,000,000 Visa Security Assessment
Level 1 Transactions per Year, Compromised
Merchants in the Last Year, Identified as Level 1
by Another Card Brand Quarterly Network Scan

Level 2 One Million to Six Million Transactions Quarterly Network Scan
Merchants per Year Annual Self-Assessment

Level 3 20,000 to One Million e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Level 4 Less than 20,000 e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Source: VISA Europe http://www.visaeurope.com/aboutvisa/security/ais/resourcesanddownloads.jsp
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 12

© 2006, Cisco Systems, Inc. All rights reserved. 6
Presentation_ID.scr
VISA PCI Categories -
Latin America Merchants
Category Criteria Requirement
High Risk Merchants with 80%
Transaction Volume (Capable of Annual Onsite PCI Data
Storing Credit Card Data) Security Assessment
Level 1 E-commerce Merchants with 80%
Merchants Transaction Volume
Quarterly Network Scan
Any Merchant that Has Suffered Hack
or an Attack Resulting in Account
Data Compromise
High Risk Merchants with Remaining
20% of Transaction Volume Quarterly Network Scan
Level 2
Merchants E-commerce Merchants
Annual Self-Assessment
with Remaining 20% of
Transaction Volume

Level 3 20,000 to One Million e-commerce Quarterly Network Scan
Merchants Transactions per Year
Annual Self-Assessment

Source: VISA AIS Program http://www.visalatam.com/e_merchant/ais3.jsp
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 13

VISA PCI Categories –
AsiaPac Merchants
Category Criteria Requirement

Annual Onsite PCI Data
Processed > 6,000,000 Visa Security Assessment
Level 1
Merchants Transactions per Year
Quarterly Network Scan

Level 2 One Million to Six Million Transactions Quarterly Network Scan
Merchants per Year Annual Self-Assessment

Level 3 20,000 to One Million e-commerce Quarterly Network Scan
Merchants Transactions per Year Annual Self-Assessment

Level 4 Process < 20,000 e-commerce
Transactions and < One Million Quarterly Network Scan
Merchants Annual Self-Assessment
Transactions Regardless of Channel

Source: VISA http://www.visa-asia.com/ap/au/merchants/riskmgmt/ais_how.shtml
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 14

© 2006, Cisco Systems, Inc. All rights reserved. 7
Presentation_ID.scr
VISA PCI Categories - US, Europe and
Canada Service Providers
Category Criteria Requirement
All VisaNet Processors (Member and Annual Onsite PCI Data
Level 1
Nonmember) and All Payment Security Assessment
Service
Providers Gateways
Quarterly Network Scan

Level 2 Any Service Provider that Is Not in Annual Onsite PCI Data
Service Level 1 and Stores, Processes, or Security Assessment
Providers Transmits More than 1,000,000 Visa
Accounts/Transactions Annually Quarterly Network Scan

Any Service Provider that Is Not in Quarterly Network
Level 3
Level 1 and Stores, Processes, or Scan
Service
Providers Transmits Fewer than 1,000,000 Visa
Accounts/Transactions Annually Annual Self-Assessment

Source: VISA
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html?it=c|/merchants/risk_
management/cisp.html|Defining%20Your%20Service%20Provider%20Level#anchor_3
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 15

The Payment Card Industry (PCI)
Data Security Standard
1. Install and maintain a firewall configuration to
Build and protect data
Maintain a
2. Do not use vendor-supplied defaults for system
Secure Network
passwords and other security parameters

3. Protect stored data
Protect
Cardholder Data 4. Encrypt transmission of cardholder data and
sensitive information across public networks

Maintain a 5. Use and regularly update anti-virus software
Vulnerability
Management 6. Develop and maintain secure systems
Program and applications

7. Restrict access to data by business
Implement need-to-know
Strong Access
8. Assign a unique ID to each person with
Control
computer access
Measures
9. Restrict physical access to cardholder data

Regularly 10. Track and monitor all access to network
Monitor and Test resources and cardholder data
Networks 11. Regularly test security systems and processes

Maintain an
Information 12. Maintain a policy that addresses
Security Policy information security

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 16

© 2006, Cisco Systems, Inc. All rights reserved. 8
Presentation_ID.scr
Applying Self-
Defending Network
to PCI

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 17

Cisco PCI Validated Architectures
Cisco Validated Design includes:
ƒ Recommended architectures for networks, payment data at rest and data in-transit
ƒ Testing in a simulated retail enterprise which include POS terminals, application
servers, wireless devices, Internet connection and security systems
ƒ Configuration, monitoring, and authentication management systems
ƒ Architectural design guidance and audit review provided by PCI audit and
remediation partners

Validated Design
Small Retail Store PCI Audit Partner:

Retail Solution Partners:

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 18

© 2006, Cisco Systems, Inc. All rights reserved. 9
Presentation_ID.scr
PCI Solution for Retail
End-to-End Architecture
VPN
Retail Store Data Center Internet Edge
WAN Adaptive
Aggregation Security Edge
Cisco Integrated
Store WAN Routers Appliance Routers
Services Router WAN
Internet
VPN
VPN
Cisco
Catalyst Core
Switch Cisco Aironet®
Cisco Catalyst®
Wireless LAN Cisco
Switches
Access Point Catalyst
Switches DMZ
WEB
Application
Service Firewall
Aggregation VPN
Cisco Catalyst Switches
with Service Modules WEB Servers

Server Access Storage Remote
MDS 9000
SAN Switches
Authentication
POS Teleworkers
Transaction Customers
Monitoring Partners
Disk Arrays
Key
Security System Management
Management

POS POS Desktop PCs Payment Mobile Network Tape Storage
Database
Server Electronic and Laptops Devices Payments Management Servers
Cash
Register Network
Services
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 19

Data Center Architecture
Overview
Data Center
ƒ WAN Routers WAN
Aggregation
Security services and QoS limit WAN Store WAN Routers
traffic in from business network
If the WAN connects to a public
Core Cisco Catalyst
network, Virtual Private Network Switches
encryption is required
IPSec tunnels encrypt
traffic to store routers Service Cisco Catalyst
Aggregation Switches with

ƒ Core Switches Service Modules

High-speed switching and
segmentation between the Server Access Storage
other layers MDS 9000
SAN Switches
ƒ Service Aggregation Switches Authentication
POS
Transaction
Application services include Monitoring
Disk Arrays
quality of service, content Key
Security System Management
filtering, and load balancing Management

Security services include Network Tape Storage
Management Database
Servers
access control, firewall,
Network
intrusion prevention Services
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 20

© 2006, Cisco Systems, Inc. All rights reserved. 10
Presentation_ID.scr
Internet

PCI Solution
Store Backup
Internet Edge Customers,
e-Commerce
Network Teleworker
Partners,
ƒ Edge Routers Employees

Access Lists limit the traffic allowed Internet Edge
in from the internet
Edge
IPSec and secure web traffic is Routers

allowed in from the Internet
Outside
ƒ Service Aggregation Switches
Service
Cisco
Application services include quality Aggregation
Catalyst
Cisco Catalyst Switches
of service, content filtering, and Switches with
load balancing Service Modules

Security services include access DMZ
Cisco VPN
control, firewall, intrusion prevention Catalyst
Switches Adaptive
Security
ƒ De-Militarized Zone (DMZ) Appliances
ACE XML
Creates a limited access zone Gateway

Connects web servers and
External Web
e-commerce application servers Web Application
Servers Server
Inside
ƒ Virtual Private Network (VPN)
Connects IPSec tunnels from Data Center Core
employee, partners or store routers Cisco Catalyst Switches
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 21

PCI Solution for Retail
Store Components
ƒ Intelligent Services Router
Retail Store
Security services limit the traffic
Cisco Intelligent WAN
Services Router allowed in and out of the store network
Routing, QoS and Filtering of business
data flows

Cisco Catalyst Cisco Aironet Wireless ƒ Cisco Catalyst LAN Switches
LAN Switch LAN Access Point
Segmentation, Quality of Service
ƒ Aironet Wireless Access Points
Connect wireless clients to the
store network
Security and Identity services
enforce central policy for encryption
and authentication
ƒ Business Servers and Hosts
Cisco Security Agent enforces
file access and host FW policy
RSA file and database security
POS Server POS Desktop PCs Payment Mobile Mobile management encrypt stored data
Electronic and Laptops Devices Payments POS and
Cash Pricing
Register
RSA Key manager enforces key
management policy

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 22

© 2006, Cisco Systems, Inc. All rights reserved. 11
Presentation_ID.scr
PCI Solution: Remote Location
Small Store
Wireless Security
Controllers Manager

MARS Centralized
Management
ACS Servers

Alternate WAN WCS
Primary WAN
Connection Connection

Cisco Integrated Services Router
Cisco IOS® Security + Ethernet Switch

Cisco 802.11AG
Mobile WLAN Access Point
POS

Inventory
Management
PoS Store
VLAN/ CSA Worker PC
WVLAN POS Cash
Register POS Server Data VLAN/
WVLAN

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 23

PCI Solution: Remote Location
Medium Store
Security
Manager

MARS Centralized
Alternate WAN Primary WAN Management
Connection Connection Servers
ACS

Cisco ISR Cisco ISR WCS
IOS Security IOS Security
+Wireless LAN
Cisco Catalyst Switches Controller
Power over Ethernet
and Security Management
VLAN
Cisco 802.11a/b/g
WLAN Access Points

Mobile POS Store
Worker PC
POS
PoS Inventory
VLAN/ CSA POS Server Data VLAN Management
WVLAN WVLAN

Personal Shopper/PDA for Partner Device for
Enhanced Customer Service Inventory Management
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public
Vendor/Guest WVLAN 24

© 2006, Cisco Systems, Inc. All rights reserved. 12
Presentation_ID.scr
PCI Solution: Remote Location
Large Store

Security
Manager

Alternate WAN Primary WAN MARS Centralized
Connection Connection Management
ACS Servers
Cisco ISRs
IOS Security
Wireless WCS
Controllers
Cisco Catalyst
Management Switches
Cisco 802.11a/b/g VLAN Distribution
WLAN Access Points and Access

Store
Data VLAN
Worker PC
and WVLAN
Inventory
Mobile POS Management
PoS POS
VLAN/
WVLAN CSA POS Server
Personal Shopper/ PDA Vendor Device for
Customer Service Inventory Management
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public Vendor/Guest WVLAN 25

Network Environment Blue Print

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS

7300 ASA
ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 26

© 2006, Cisco Systems, Inc. All rights reserved. 13
Presentation_ID.scr
Cisco Security Manager (CSM)
Topology-Centric View

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 27

PCI Requirement 1
Install and Maintain a Firewall Configuration
to Protect Data
ƒ Configuration standards, documentation
ƒ Segment card holder data from all other data
ƒ FW to public connections (Inbound and Outbound)
ƒ Wireless
ƒ Personal Firewall

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 28

© 2006, Cisco Systems, Inc. All rights reserved. 14
Presentation_ID.scr
Requirement 1: Install and Maintain a
Firewall Configuration to Protect Data

Remote Location Internet Main Office Network Management Center
Edge
POS VLAN
CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Data VLAN
Wireless CSA VLAN
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 29

For Your
CSM Firewall Configuration Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 30

© 2006, Cisco Systems, Inc. All rights reserved. 15
Presentation_ID.scr
For Your
CSM Global Firewall Configuration Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 31

ASA: Inspection Rules

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 32

© 2006, Cisco Systems, Inc. All rights reserved. 16
Presentation_ID.scr
Network Compliance Manager (NCM)
Requirement 1 Status

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 33

PCI Requirement 2
Do Not Use Vendor-Supplied Defaults for System
Passwords and Other Security Parameters
ƒ Change vendor supplied defaults
ƒ Wireless: Change wireless vendor defaults, disable
SSID broadcasts, use WPA/WPA2
ƒ Configuration standards for all system components
ƒ Implement one primary function per server
ƒ Disable all unnecessary and insecure services
and protocols

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 34

© 2006, Cisco Systems, Inc. All rights reserved. 17
Presentation_ID.scr
Requirement 2: Do Not Use Vendor-
Supplied Defaults for System Settings

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 35

PCI Requirement 2.1 for Wireless
ƒ Verify that the Cisco Controller is, by default, configured
for administrative restriction and AAA authentication for
administrative users
ƒ Verify that no default SSID is enabled on the WLC
ƒ Disable/remove default SNMP strings of “public/private”
ƒ Create new community strings
ƒ Verify that default community strings are no longer accessible
ƒ Configure administrative user either via initial controller setup
script or via CLI
ƒ Configure wireless system for WPA authentication
ƒ Disable SSID Broadcast

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 36

© 2006, Cisco Systems, Inc. All rights reserved. 18
Presentation_ID.scr
For Your
Cisco Wireless Configuration Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 37

PCI Requirement 3
Protect Stored Data
ƒ Keep cardholder data storage to a minimum
ƒ Do not store the full contents of any track from the magnetic
stripe (also called full track, track, track1, track 2 and
magnetic stripe data), card-validation code or value, PIN
ƒ Mask PAN when displayed, and render it unreadable when
stored (hashed indexes, truncation, index tokens and pads,
strong cryptography), disk encryption
ƒ Document and implement key management processes

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 38

© 2006, Cisco Systems, Inc. All rights reserved. 19
Presentation_ID.scr
Requirement 3: Protect Stored Data

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 39

Protect Stored Data: From What?

ƒ Cisco Security Agent (CSA) protects from:
Copying cardholder information to removable media (USB
sticks, CD ROMs, etc.)
Copying cardholder information to different file formats
Printing cardholder information
Saving information to a local machine

ƒ Plus typical worm/virus protection (think e-commerce)

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 40

© 2006, Cisco Systems, Inc. All rights reserved. 20
Presentation_ID.scr
CSA Information For Your
Protection Creation Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 41

For Your
CSA Action Rule Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 42

© 2006, Cisco Systems, Inc. All rights reserved. 21
Presentation_ID.scr
PCI Requirement 4
Encrypt Transmission of Cardholder Data Across Open,
Public Networks
ƒ Use SSL/TLS or IPSec, WPA for wireless
ƒ If using WEP:
Use with a minimum 104-bit encryption key and 24 bit-
initialization value
Use only in conjunction with WPA/WPA2, VPN or SSL/TLS
Rotate shared WEP keys quarterly (or automatically)
Restrict access based on MAC address

ƒ Never send unencrypted PANs
by e-mail

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 43

Requirement 4: Encrypt Transmission of
Cardholder Data Across Public Networks

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 44

© 2006, Cisco Systems, Inc. All rights reserved. 22
Presentation_ID.scr
GET VPN: Tunnel-less VPNs
A New Security Model
IPSec Point-to-Point Tunnels Tunnelless VPN

WAN

Multicast

ƒ Scalability—an issue (N^2 problem) ƒ Data is encrypted without need for tunnel
ƒ Overlay routing overlay—scalable any-to-any
ƒ Any-to-any instant connectivity cannot be ƒ Routing/multicast/QoS integration
done to scale is optimal—native routing
ƒ Limited advanced QoS ƒ Encryption can be managed by either
subscribers or service providers
ƒ Multicast replication inefficient
BRKSEC-2008
ƒ Customized, per-application encryption
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 45

IronPort: PCI Compliance over Email
Automatic Detection and Encryption of Credit Card Info
ƒ Comprehensive Scanning for Cardholder Info
ƒ Integrated Encryption and Remediation
ƒ Auditable Reporting
“IronPort meets PCI
compliance requirements
Internet in an easy to administer,
Users Outbound Mail IronPort Email Security Appliance transparent manner.”
—Brian Burke, Director,
Secure Content, IDC
Comprehensive Detection:
• Credit Card Smart Identifier
“IronPort has provided
customers with an easy
• Preloaded PCI Lexicons Dictionary
to deploy, use, and
• Embedded Attachment Scanning
manage PCI compliance
Integrated Remediation: solution for email.”
• Universal Message Encryption —Barry Johnson, Director,
• Quarantine, Archive Capabilities Risk Mitigation, IGXGlobal
• Notifications
BRKSEC-2008 • Reporting
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 46

© 2006, Cisco Systems, Inc. All rights reserved. 23
Presentation_ID.scr
For Your
NCM Requirement 4 Status Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 47

For Your
Cisco Wireless Configuration Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 48

© 2006, Cisco Systems, Inc. All rights reserved. 24
Presentation_ID.scr
PCI Requirement 5
Use and Regularly Update Anti-Virus Software
or Programs
ƒ Deploy anti-virus software on all systems commonly affected
by viruses
ƒ AV programs capable of detecting, removing, and protecting
against all forms of malicious software, including spyware
and adware
ƒ Ensure that all AV mechanisms are current, actively running,
and capable of generating audit logs

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 49

Requirement 5: Use and Regularly
Update Anti-Virus Software

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 50

© 2006, Cisco Systems, Inc. All rights reserved. 25
Presentation_ID.scr
For Your
NAC Manager Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 51

For Your
Adding NAC A/V Rule Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 52

© 2006, Cisco Systems, Inc. All rights reserved. 26
Presentation_ID.scr
For Your
NAC Rule List Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 53

NAC A/V Update

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 54

© 2006, Cisco Systems, Inc. All rights reserved. 27
Presentation_ID.scr
IronPort A/V
Industry Leading Defense in Depth Solution
Preventive Defense + Reactive Defenses
Virus Outbreak Filters + Anti-Virus Signatures

IronPort
McAfee Sophos
Virus
Anti-Virus Anti-Virus
Outbreak
Signatures Signatures
Filters

ƒ Ease of Deployment and Zero Management
ƒ Automatic Updates
ƒ Email Security: Highest Virus Transmission Medium
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 55

PCI Requirement 6
Develop and Maintain Secure Systems and Applications
ƒ Systems and software have latest vendor-supplied security
patches installed; install relevant security patches within one
month of release
ƒ Establish process to identify new security vulnerabilities (subscribe
to alert services, etc.)
ƒ Develop SW applications based on industry best practices and
incorporate security throughout SW development lifecycle
ƒ Develop web application based on secure coding guidelines such
as the Open Web Application Security Project
ƒ Web-facing applications are protected against known attacks
by installing an application layer firewall in front of web-facing
applications, or review application code by a specialized
application security organizations

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 56

© 2006, Cisco Systems, Inc. All rights reserved. 28
Presentation_ID.scr
Requirement 6: Develop and Maintain
Secure Systems and Applications

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 57

For Your
OWASP’s 2007 Top Ten Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 58

© 2006, Cisco Systems, Inc. All rights reserved. 29
Presentation_ID.scr
Cisco Application Control Engine (ACE)
XML Gateway
AXG in Action: Blocking XSS Attacks
1. Define hosts to protect

2. Define policies per host

We are going to validate
GET and POST parameters

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 59

AXG in Action: Blocking XSS Attacks
1. Define acceptable range for each GET or POST query parameter

2. Attack detected and blocked

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 60

© 2006, Cisco Systems, Inc. All rights reserved. 30
Presentation_ID.scr
AXG in Action: Blocking XSS Attacks
1. Alternatively, use a blacklist approach using
Cisco-verified signatures

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 61

PCI Requirement 7
Restrict Access to Cardholder Data
by Business Need-to-Know
ƒ Limit access to computing resources and cardholder
information only to those individuals whose job requires
such access
ƒ Establish a mechanism for systems with multiple users that
restricts access based on a user’s need to know and is set
to “deny all” unless specifically allowed

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 62

© 2006, Cisco Systems, Inc. All rights reserved. 31
Presentation_ID.scr
Requirement 7: Restrict Access to Data
by Business Need-to-Know

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 63

For Your
CSA Action Rule Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 64

© 2006, Cisco Systems, Inc. All rights reserved. 32
Presentation_ID.scr
When a User Attempts to For Your
Save a Change… Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 65

For Your
CSA Manager Event Log Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 66

© 2006, Cisco Systems, Inc. All rights reserved. 33
Presentation_ID.scr
PCI Requirement 8
Assign a Unique ID to Each Person
with Computer Access
ƒ Identify all users with a unique user name before allowing
access to system components or cardholder data
ƒ In addition, employ one method of authentication
(password, token devices [SecureID, certificates
or public key], biometrics)
ƒ Implement two-factor authentication
ƒ Encrypt all passwords during transmission and storage

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 67

Requirement 8: Assign a Unique ID to
Each Person with Computer Access

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 68

© 2006, Cisco Systems, Inc. All rights reserved. 34
Presentation_ID.scr
Cisco Secure Access Control For Your
Server (ACS) Reference

Administration Accounts

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 69

For Your
Cisco ACS Reference

Only Allow HTTPS Connections

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 70

© 2006, Cisco Systems, Inc. All rights reserved. 35
Presentation_ID.scr
For Your
Cisco ACS Reference

Idle Timeouts and Failed Attempts

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 71

For Your
Cisco ACS Reference

Map to Active Directory

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 72

© 2006, Cisco Systems, Inc. All rights reserved. 36
Presentation_ID.scr
PCI Requirement 9
Restrict Physical Access to Cardholder Data
ƒ Facility entry controls and monitor physical access to systems
that store, process or transmit cardholder data
Cameras to monitor sensitive areas
Restrict physical access to network jacks, wireless access points,
gateways, and handheld devices

ƒ Distinguish between employees and visitors
ƒ Visitor log in, physical token, authorization before entering area
ƒ Physically secure card holder data media
ƒ Destroy media when it is no longer needed

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 73

PCI Requirement 10
Track and Monitor All Access to Network Resources
and Cardholder Data
ƒ Implement automated audit trails
ƒ Record audit trail entries
ƒ Secure audit trails so they cannot be altered
ƒ Review logs for all system components
at least daily
ƒ Destroy media when it is no longer needed
ƒ Retain audit trail history for at least
one year, with a minimum of three
months online availability

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 74

© 2006, Cisco Systems, Inc. All rights reserved. 37
Presentation_ID.scr
Requirement 10: Track and Monitor All
Access to Network and Cardholder Data

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 75

CS-MARS: PCI DSS Requirement 10
Critical System Access Monitoring

PCI DSS Requirement 10: “Is
Administrator Access to the End
Systems Monitored?”

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 76

© 2006, Cisco Systems, Inc. All rights reserved. 38
Presentation_ID.scr
For Your
CS-MARS PCI Reports/Reporting Reference

PCI Reports Group

ƒ Detailed Monitoring and
Reporting for PCI
Requirements
ƒ Comprehensive PCI Reports

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 77

For Your
CS-MARS for PCI Reporting Reference

Comprehensive and Detailed Reports and Reporting
PCI Reports Group

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 78

© 2006, Cisco Systems, Inc. All rights reserved. 39
Presentation_ID.scr
For Your
NCM Requirement 10 Status Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 79

PCI Requirement 11
Regularly Test Security Systems and Processes
ƒ Use a wireless analyzer at least quarterly to identify all
wireless devices in use
ƒ Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network
ƒ Perform penetration testing at least once a year and after
any significant upgrade or modification
ƒ Use NIDS/IPS, HIDS/HIPS
ƒ Deploy file integrity monitoring software to perform critical
file comparisons at least weekly

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 80

© 2006, Cisco Systems, Inc. All rights reserved. 40
Presentation_ID.scr
Requirement 11: Regularly Test Security
Systems and Processes

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco
IPS
Catalyst ISR 6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 81

Cisco ASA 5500 Series and IPS Network
Environment Blue Print for PCI

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register
NCM/CAS
ASA
7200/
ASA 7300 ASA CS-MARS
WAP IPS
WAN
Cisco
Catalyst ISR ASA
6500 WAP
Switch ASA CSA
Switch

Store WAP IPS Credit Card
Worker PC Storage
Wireless CSA
Device
E-commerce CSA
Data Center
ASA IPS, Cisco IOS IPS, or IPS 4200, ASA-IPS IPS 4200 or
ISR AIM IPS or IDSM-2 ASA-IPS
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 82

© 2006, Cisco Systems, Inc. All rights reserved. 41
Presentation_ID.scr
CS-MARS: PCI DSS Requirement 11
Wireless Access Detection

PCI DSS Requirement 11: “Is the
Wireless Network Being Monitored
and Are New Wireless Devices
Identified?”

Cisco Wireless Controller

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 83

For Your
Wireless Controller Configuration Reference

Scan for and Detect Rogue APs and Wireless Devices

Untrusted AP Policy
Rogue Location Discovery Protocol………………………Disabled
RLDP Action ……………………………………...Alarm Only
Rogue APs
Rogues AP advertising my SSID ………………….Alarm Only
Detect and report Ad-Hoc Networks ………………Enabled

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 84

© 2006, Cisco Systems, Inc. All rights reserved. 42
Presentation_ID.scr
Cisco Security Manager
IPS Device-Centric Signature View

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 85

Cisco Security Manager
Policy-Centric Signature View

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 86

© 2006, Cisco Systems, Inc. All rights reserved. 43
Presentation_ID.scr
Cisco Security Agent (CSA)
PCI Rule Modules

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 87

CSA PCI Requirement 11 Modules

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 88

© 2006, Cisco Systems, Inc. All rights reserved. 44
Presentation_ID.scr
CSA PCI Module Drill-Down

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 89

NCM Requirement 11 Status

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 90

© 2006, Cisco Systems, Inc. All rights reserved. 45
Presentation_ID.scr
PCI Requirement 12
Maintain a Policy that Addresses Information Security
for Employees and Contractors
ƒ Establish, publish, maintain, and disseminate a security policy
ƒ Develop usage policies for critical employee-facing technologies
ƒ Implement a security awareness program
ƒ Implement an incident response plan
ƒ If cardholder data is shared with service providers, the SP must
adhere to the PCI DSS requirements

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 91

Requirement 12: Maintain a Policy that
Addresses Information Security

Remote Location Internet Main Office Network Management Center
Edge

CSA ACS
Mobile CSA CSM
POS POS POS Server
Cash NAC
Register IronPort
NCM/CAS
ASA
7200/
ASA 7300 ASA ASA CS-MARS
WAP
WAN
Cisco IPS
Catalyst ISR
6500 WAP
Switch CSA
Switch

Store WAP Credit Card
Worker PC AXG AXG Storage
Wireless CSA
Device
E-commerce CSA
Data Center

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 92

© 2006, Cisco Systems, Inc. All rights reserved. 46
Presentation_ID.scr
CSM Workflow
“Enable Different Management Teams to Work Together”
What Is It?
ƒ Structured process for change Security
management that complements Operations Create/ Review/ Approve/
your operational environment Policy Edit Policy Submit Commit
Definition
Undo
Example
ƒ Who can set policies
Generate/ Approve
ƒ Who can approve them Policy Deployment Submit Job
Deploy
Job
Network
ƒ Who can approve deployment Operations
and when Policy Rollback
Deployment
ƒ Who can deploy them
Firewall, VPN, and IPS Services
Benefit
ƒ Provides scope of control

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 93

CSM Role-Based Access Control
Cisco IOS
Software
What Is It?
ƒ Authenticates administrator’s
access to management system
ƒ Determines who has access Cisco Security Manager Cisco PIX®
to specific devices and Firewall and
Cisco ASA
policy functions
Example
ƒ Verifies administrator and AAA
associate administrators to
specific roles as to who can Remote
do what Cisco Secure ACS
Access

Benefit
ƒ Enables delegation of
administrator tasks to Home
Office
multiple operators
ƒ Provides appropriate separation
of ownership and controls
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 94

© 2006, Cisco Systems, Inc. All rights reserved. 47
Presentation_ID.scr
For Your
NCM Requirement 12 Status Reference

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 95

Cisco Solution for PCI
Remote Location Internet Main Office Network Management Center
Edge
9999 Cisco
Security 999 9999
999 999 Agent (CSA) ACS Cisco

999
CSA Security
POS POS Server
Terminal 999 NAC
Management

IronPort 9999
999 ASA 5500
9999 9
NCM/CAS
99 7300
9999 Router ASA ASA CS-MARS
WAP
999 99 9999
Cisco
WAN
IPS 999
Catalyst ISR
6500 9999
Switch
9999 9999 Switch
WAP
9 999 9 CSA
Store
999 AXG 9999 999
9 AXG Credit Card
Worker PC
99
Wireless 9CSA
Storage

999
CSA
Device
999
E-commerce Data Center
Requirement 1 Requirement 4 Requirement 7 Requirement 10
Requirement 2 Requirement 5 Requirement 8 Requirement 11
BRKSEC-2008
Requirement 3 Requirement 6 Requirement 9 Requirement 12
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 96

© 2006, Cisco Systems, Inc. All rights reserved. 48
Presentation_ID.scr
PCI Solution Mapping

Iron ACE
PCI ISR ASA CSA MARS WLAN IPS NAC 6500
Port
CSM NCM
XML
ACS

1 9 9 9 9 9 n/a n/a 9 n/a 9 9 n/a n/a
2 9 9 n/a 9 9 n/a n/a n/a n/a 9 9 n/a n/a
3 n/a n/a 9 9 n/a n/a n/a n/a n/a n/a n/a n/a n/a
4 9 9 n/a 9 9 n/a n/a 9 9 9 9 n/a n/a
5 9 9 9 9 n/a n/a 9 n/a 9 n/a n/a n/a n/a
6 9 n/a 9 9 n/a n/a 9 n/a 9 n/a 9 9 n/a
7 9 9 9 9 n/a n/a 9 9 n/a 9 9 n/a 9
8 9 9 9 9 n/a n/a n/a n/a n/a 9 9 n/a 9
9 n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a n/a
10 9 9 9 9 9 9 n/a 9 n/a 9 9 n/a 9
11 9 9 9 9 9 9 n/a 9 n/a 9 9 n/a n/a
12 9 9 9 9 9 9 9 9 9 9 9 9 9

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 97

Cisco PCI Services

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 98

© 2006, Cisco Systems, Inc. All rights reserved. 49
Presentation_ID.scr
Services from Cisco and
Cisco Security Specialized Partners
ƒ Supporting your efforts to achieve compliance
Identify and remediate gaps in your current network environment relative
to the PCI Data Security Standard
Gap analysis and remediation plan
Design and implementation

ƒ Supporting your efforts to stay compliant
Asset monitoring and support for configuration and change management
Quarterly security gap analysis
Periodic reporting of PCI-critical device status
*PCI compliance service capabilities may vary by region

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 99

Gap Analysis and For Your
Reference
Remediation Plan
Identifies Gaps in Your Network
Components and Systems, Policies,
and Processes
PCI Analysis Toolset
ƒ Collects data about devices and configurations (Cisco
and third party)
ƒ Analyzes your network for gaps relative to PCI Data
Security Standard requirements
ƒ Cisco engineer creates a tailored remediation plan
that includes a prioritized set of actions for closing
compliance gaps

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 100

© 2006, Cisco Systems, Inc. All rights reserved. 50
Presentation_ID.scr
For Your
Reference
Design and Implementation
Best Practices for Implementing the
Remediation Plan Recommendations
ƒ Security Policy Definition
Develop or refine your company’s high-level goals,
procedures, rules, and requirements for securing
its information assets
ƒ Design Review, if necessary
Provide design review if the PCI gap analysis and
remediation plan suggest it
ƒ Implementation
Implement your solution on time and on budget by
following a thorough, detailed implementation
process based on best practices
Realize business and technical goals by installing,
configuring, and integrating new system
components in accordance with remediation plan
recommendations

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 101

Asset Monitoring and Support for For Your
Reference
Configuration and Change Management
ƒ Asset Monitoring
Monitor and manage devices critical to your
PCI-compliant network in real time 24 hours a day,
365 days a year
Identify anomalies, events, or trends that might
adversely affect your network security
Provide consolidated status reports that you can
use with your stakeholders and third parties such
as auditors
ƒ Configuration Management Support
Improve operational efficiency by maintaining an
accurate, reliable system configuration database
and managing configuration changes through an
orderly, effective process
ƒ Change Management Support
Reduce operating costs and limit change-related
incidents with a consistent and efficient change
management process

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 102

© 2006, Cisco Systems, Inc. All rights reserved. 51
Presentation_ID.scr
Quarterly Incremental For Your
Reference
Security Gap Analysis

Assess for Changes that Might Affect Compliance

Provide Improvement Recommendations and
Remediation Services as Needed

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 103

Summary

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 104

© 2006, Cisco Systems, Inc. All rights reserved. 52
Presentation_ID.scr
Summary
Key Take Aways
ƒ PCI is moving rapidly to global importance
ƒ PCI Compliance encompasses Security Best Practices
ƒ Work closely with Approved Scan Vendor and Qualified
Security Assessor to understand expectations
ƒ Use Cisco’s PCI Validated Architectures as a guide to ease
design and implementation

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 105

More Information

ƒ Cisco Compliance information
http://www.cisco.com/go/compliance
http://www.cisco.com/go/retail

ƒ VISA Cardholder Information Security Program
http://usa.visa.com/merchants/risk_management/cisp.html

ƒ MasterCard PCI Merchant Education
http://www.mastercard.com/us/sdp/education/pci%20merchant
%20education%20program.html

ƒ PCI Security Standards Council
https://www.pcisecuritystandards.org/

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 106

© 2006, Cisco Systems, Inc. All rights reserved. 53
Presentation_ID.scr
Relevant Security Sessions
BRKSEC-2004 Monitoring and Mitigating Threats
Inside the Perimeter: Six Steps to Improving Your
BRKSEC-2006
Security Monitoring
BRKSEC-2007 Deploying Cisco IOS Security

BRKSEC-2011 Deploying Site-to-Site IPSec VPNs

BRKSEC-2012 Deploying Dynamic Multipoint VPNs

BRKSEC-2020 Firewall Design and Deployment

BRKSEC-2030 Deploying Network-Based Intrusion Prevention Systems

BRKSEC-2031 Understanding Host-Based Threat Mitigation Techniques

BRKSEC-2041 Deploying Cisco Network Admission Control Appliance

BRKSEC-2052 Secure Messaging

BRKSEC-4012 Advanced IPSec with GET VPN

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 107

Q and A

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 108

© 2006, Cisco Systems, Inc. All rights reserved. 54
Presentation_ID.scr
Recommended Reading

ƒ Continue your Cisco Live
learning experience with further
reading from Cisco Press®
ƒ Check the Recommended
Reading flyer for suggested
books

Available Onsite at the Cisco Company Store
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 109

Complete Your Online
Session Evaluation
ƒ Give us your feedback and you could win Don’t forget to activate
fabulous prizes; winners announced daily. your Cisco Live virtual
account for access to
ƒ Receive 20 Passport points for each session all session material
evaluation you complete on-demand and return
for our live virtual event
ƒ Complete your session evaluation online now in October 2008.
(open a browser through our wireless network Go to the Collaboration
to access our portal) or visit one of the Internet Zone in World of
stations throughout the Convention Center Solutions or visit
www.cisco-live.com.

BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 110

© 2006, Cisco Systems, Inc. All rights reserved. 55
Presentation_ID.scr
BRKSEC-2008
14327_04_2008_c2 © 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 111

© 2006, Cisco Systems, Inc. All rights reserved. 56
Presentation_ID.scr