With security being a foremost concern for many customers of Extreme Networks, satisfying the requirements made by the PCI standard can help customers to not only maintain PCI compliance, but remain secure more generally. Although this whitepaper does not include an exhaustive treatment of all aspects of PCI requirements, the 12 high-level PCI requirements are listed below:
- Install and maintain a firewall configuration to protect cardholder data
- Do no use vendor-supplied defaults for system passwords and other security parameters
- Protect stored cardholder data
- Encrypt transmissions of cardholder data across open, public networks
- Use and regularly update anti-virus software or programs
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need to know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security for all personnel
There are several features and capabilities built directly into Extreme Networks switches that can be used to build PCI compliant networks. These capabilities include:
VLAN segmentation is a powerful technology that can be applied to networks that process cardholder data, and are used build dedicated VLAN’s for such networks in order to maintain separation from other network segments. This assists with PCI requirements 1, 3, and 7.
A key aspect of PCI compliance is the need to track all access to network resources and cardholder data under requirement 10. Because Extreme switches can produce flow data for individual network connections and sessions, the export of this data can function as a source of information for tracking access to network resources. A comprehensive PCI compliance strategy should leverage this data as a contributing audit trail for PCI requirement 10.
PCI requirement 1 is explicit about the need for filtering infrastructure to protect cardholder data. Although this commonly implies the use of a firewall, the policy capabilities in Extreme Networks switches can play a contributing role here. Once a section of a network is designated as a place where cardholder data is processed, switch policies can be deployed to ensure that inappropriate access is filtered to and from all networks that try to send network traffic through the cardholder network. Any PCI compliance audit will establish whether such filtering policies are in place across not only dedicated firewall devices, but also within switching infrastructure.
802.1X User Authentication
Extreme switches support per-port 802.1X authentication for users, and this is an important feature to help track users as they try to gain access to network infrastructure. This feature helps to satisfy PCI requirements 7 and 8 whenever Extreme switches are powering networks in which cardholder data resides.
In the second half of 2015, many Extreme Networks switch models will support the MACSEC protocol to build strongly encrypted point-to-point links on Ethernet networks. Although most cardholder data is already encrypted during network transit by SSL/TLS, in some situations there may be an opportunity to use Extreme Networks switches to help satisfy PCI requirement 4 through the use of MACSEC.
Secure Shell (SSH)
An industry standard method for providing a secure encrypted administration interface to remote operating systems is Secure Shell (SSH). Extreme Networks switches support SSH for administrative functions, and enabling this is important to help satisfy PCI requirements 2 and 6. For requirement 2, an SSH client can be used to verify that easily guessable default passwords are not used on deployed Extreme switches. For requirement 6, any usage of a non-SSH administrative shell interface (such as telnet) would be considered insecure. Therefore, deploying SSH helps to achieve PCI compliance under requirement 6.
Strong Admin Passwords
PCI requirement 2 is explicit about the need to deploy strong non-default passwords for administrative functions. Although there is no feature that guarantees the usage of a strong password on a particular Extreme Networks switch, it is important that the local security policy mandate this for all deployed switches. Adherence to this policy is critical for satisfying PCI requirement 2.
Regular updates are made to Extreme switch firmware, and these updates sometimes fix security vulnerabilities or other problems. Keeping switches updated with the latest firmware helps to ensure that PCI requirement 6 is met. Extreme Networks is committed to providing timely firmware updates for our switching products, and this helps to give customers confidence in the security posture of networks they deploy.