How to achieve a PCI Compliant network
Implementation of secure LDAP cluster
This consists of a master server and three read-only slaves, the master server is locked down heavily and the read-only slaves are used for applications to authenticate against. All communication is authenticated and encrypted. All of our new systems have been moved over to authenticate against this LDAP cluster.
TACACS+ / RADIUS (2-Factor) authentication front ends
TACACS+ is an authentication protocol used by all our network equipment and passes authentication through to the LDAP cluster. This system was rebuilt to use encrypted communication, a well structured user/group system, and various security features.
RADIUS (2-Factor) was implemented to pass one factor of the authentication back to the LDAP cluster and the second factor back to a Yubi Key server so that Yubi Keys can be used.
Secure VPN, was implemented using the 2-Factor RADIUS authentication as a secure entry point into the management network of any PCI-DSS customer.
A user account management gateway was set up to allow LDAP account/password management. We also implemented a password policy as defined in PCI-DSS section 8.
Puppet is used to ensure constant and secure configuration standards throughout our systems infrastructure and all changes are also subject to change tracking.
DrayTek LDAP client development
At our request router vendor DrayTek are implementing an LDAP client so we can use their devices on our PCI-DSS compliant networks.
Centralised Secure Logging
Consisting of a standard syslog-ng server collecting logs for all devices and servers on our network, and a splunk server for collection of secure logs in a manner fitting of PCI-DSS.
Constant vulnerability scanning and security upgrades
Nessus has been deployed to periodically scan our primary systems and servers are monitored for security upgrades with patches being applied within 24 hours.
A DNS change management tool has been introduced so that our DNS infrastructure is infinitely more secure than it once was.
Solarwinds, Observium and Nagios monitor our customers and core network and Rancid is used to monitor and track changes on network devices.
Secure backups are performed via veeam for our entire virtualization infrastructure. Incidentally we are 75% of the way through virtualizing our entire server infrastructure which is saving us a ton of money on racks in London.
Anti-virus is been rolled out right now.
Along with all this work comes a ton of Policy Documentation which I have to say is a great discipline to impose (remembering that I’m not the one to have to do it J ).
All in all its been a great effort by the whole team. Onwards and upwards.