How to achieve a PCI Compliant network

by Trefor Davies on Thursday, 17 January, 2013

Trefor DaviesA lot of effort goes into achieving PCI compliance for a network. Without going into huge detail I thought some of you would like to know the type of work we had to do to get the badge.

Implementation of secure LDAP cluster

This consists of a master server and three read-only slaves, the master server is locked down heavily and the read-only slaves are used for applications to authenticate against. All communication is authenticated and encrypted. All of our new systems have been moved over to authenticate against this LDAP cluster.

TACACS+ / RADIUS (2-Factor) authentication front ends

TACACS+ is an authentication protocol used by all our network equipment and passes authentication through to the LDAP cluster. This system was rebuilt to use encrypted communication, a well structured user/group system, and various security features.

RADIUS (2-Factor) was implemented to pass one factor of the authentication back to the LDAP cluster and the second factor back to a Yubi Key server so that Yubi Keys can be used.

Secure VPN, was implemented using the 2-Factor RADIUS authentication as a secure entry point into the management network of any PCI-DSS customer.

A user account management gateway was set up to allow LDAP account/password management. We also implemented a password policy as defined in PCI-DSS section 8.

Puppet is used to ensure constant and secure configuration standards throughout our systems infrastructure and all changes are also subject to change tracking.

DrayTek LDAP client development

At our request router vendor DrayTek are implementing an LDAP client so we can use their devices on our PCI-DSS compliant networks.

Centralised Secure Logging

Consisting of a standard syslog-ng server collecting logs for all devices and servers on our network, and a splunk server for collection of secure logs in a manner fitting of PCI-DSS.

Constant vulnerability scanning and security upgrades

Nessus has been deployed to periodically scan our primary systems and servers are monitored for security upgrades with patches being applied within 24 hours.

A DNS change management tool has been introduced so that our DNS infrastructure is infinitely more secure than it once was.

Monitoring

Solarwinds, Observium and Nagios monitor our customers and core network and Rancid is used to monitor and track changes on network devices.

Backups

Secure backups are performed via veeam for our entire virtualization infrastructure. Incidentally we are 75% of the way through virtualizing our entire server infrastructure which is saving us a ton of money on racks in London.

Anti-virus

Anti-virus is been rolled out right now.

Along with all this work comes a ton of Policy Documentation which I have to say is a great discipline to impose (remembering that I’m not the one to have to do it J ).

All in all its been a great effort by the whole team. Onwards and upwards.

{ 1 comment }

Neil McRae January 17, 2013 at 11:00 pm

Well done Tref

PCI is really table stakes in today’s e-commerce society – and it’s not just about the network – systems, process and in certain carse people all have to follow your policies etc. Complience in gereral is big business and a key concern we near from our enterprise customers at BT.

Maintaining PCI, or IL2 ISO etc is the harder part, especially when you want to so something quickly!

Neil

Comments on this entry are closed.

Previous post:

Next post: