Posted by John Kindervag on January 29, 2010
Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls. We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."
While this document discusses WLAN security for PCI, it is clear that the PCI SSC must take the same line towards using VLANs to segment wired networks if they've provided this guidance for wireless networks.
If you're looking at a "Virtual Network Segmentation" solution, do some investigation to see if the proposed solution will be accepted by PCI. Remember, network segmentation is a best practice, not a requirement, and the PCI DSS 1.2 document states that:"Network segmentation can be achieved through internal network firewalls, routers with strong access control lists or other technology that restricts access to a particular segment of a network."
Will that other technology be "Virtual Network Segmentation?" The SSC is silent about this right now. Feel free to weigh in.