How to achieve a PCI Compliant network

Trefor Davies

By Trefor Davies

Thursday, 17 January, 2013

Trefor DaviesA lot of effort goes into achieving PCI compliance for a network. Without going into huge detail I thought some of you would like to know the type of work we had to do to get the badge.

Implementation of secure LDAP cluster

This consists of a master server and three read-only slaves, the master server is locked down heavily and the read-only slaves are used for applications to authenticate against. All communication is authenticated and encrypted. All of our new systems have been moved over to authenticate against this LDAP cluster.

TACACS+ / RADIUS (2-Factor) authentication front ends

TACACS+ is an authentication protocol used by all our network equipment and passes authentication through to the LDAP cluster. This system was rebuilt to use encrypted communication, a well structured user/group system, and various security features.

RADIUS (2-Factor) was implemented to pass one factor of the authentication back to the LDAP cluster and the second factor back to a Yubi Key server so that Yubi Keys can be used.

Secure VPN, was implemented using the 2-Factor RADIUS authentication as a secure entry point into the management network of any PCI-DSS customer.

A user account management gateway was set up to allow LDAP account/password management. We also implemented a password policy as defined in PCI-DSS section 8.

Puppet is used to ensure constant and secure configuration standards throughout our systems infrastructure and all changes are also subject to change tracking.

DrayTek LDAP client development

At our request router vendor DrayTek are implementing an LDAP client so we can use their devices on our PCI-DSS compliant networks.

Centralised Secure Logging

Consisting of a standard syslog-ng server collecting logs for all devices and servers on our network, and a splunk server for collection of secure logs in a manner fitting of PCI-DSS.

Constant vulnerability scanning and security upgrades

Nessus has been deployed to periodically scan our primary systems and servers are monitored for security upgrades with patches being applied within 24 hours.

A DNS change management tool has been introduced so that our DNS infrastructure is infinitely more secure than it once was.

Monitoring

Solarwinds, Observium and Nagios monitor our customers and core network and Rancid is used to monitor and track changes on network devices.

Backups

Secure backups are performed via veeam for our entire virtualization infrastructure. Incidentally we are 75% of the way through virtualizing our entire server infrastructure which is saving us a ton of money on racks in London.

Anti-virus

Anti-virus is been rolled out right now.

Along with all this work comes a ton of Policy Documentation which I have to say is a great discipline to impose (remembering that Iā€™m not the one to have to do it J ).

All in all its been a great effort by the whole team. Onwards and upwards.

Trefor Davies

This article was written by Trefor Davies
on Thursday, 17 January, 2013

Enjoy this article? Please share it with your friends.

1share on Facebook3share on LinkedIn6share on Twitter2share on Twitter

© Copyright 2014 Trefor.net