11 Strategies to Deploy PCI Compliant Networks

Achieving PCI Compliance CradlePoint Webinar

July 31, 2012

Global Leader in 4G Network Solutions

Ken Hosac VP Business Development

Rudy Cedillo Sr. Enterprise Support Engineer

CradlePoint Proprietary and Confiden0al | ©2012 CradlePoint Inc. | All rights reserved. | Informa0on subject to change without no0ce.

§  CradlePoint Overview –  Target market –  Solu0on overview

§  Introduction to PCI Compliance –  The standards framework –  Business drivers –  Compliance & monitoring –  Customer pain-‐points

§  PCI-DSS Requirements & Recommendations –  Goals & requirements –  Valida0on methodology –  CradlePoint recommenda0ons

Agenda Achieving PCI Compliance

2


Distributed Enterprise CradlePoint Target Market

M2M: Kiosks & ATMs

Convenience Stores

Restaurants Branch Offices

Retail Stores

CradlePoint provides 3G/4G networking solu0ons to distributed enterprise


Solution Overview Connecting Distributed Enterprise through Wireless 4G/3G

4

CradlePoint M2M Router

M2M Router for Connected Devices

Existing Router Juniper, Cisco, etc

DSL Modem

CradlePoint ARC CBA750

Bridge

Enterprise Bridge for Business Con0nuity

Network Administrator

WiPipe Central Applica9on & Management Pla<orm

On-‐Site Services Site Survey, Installa9on, Maintenance

Enterprise Router for Small-‐Footprint Retail/Branch

CradlePoint ARC MBR1400

Router


Overview of the PCI Standards Achieving PCI Compliance

5


PCI Security Standards Achieving PCI Compliance

6

§ Background – Objec0ve is to protect cardholder data – Required for any company that stores, processes or transmits credit card info

– Founded by 5 major financial brands, including: §  AmEx, Discovery, JCB, MasterCard, Visa

– Par0cipants include hundreds of industry en00es

§ Business Drivers – Companies that fail to comply are subject to fines, lawsuits, and can even be banned from processing credit cards.

– Companies that are breached can find themselves in the news headlines, significantly impac0ng goodwill with customers, partners and shareholders.


§  PCI-SSC publishes three standards –  PCI-‐DSS (PCI Data Security Standards): Applies to any en0ty that stores, processes, and/or transmits cardholder data. The standard covers technical and opera0onal components include in or connected to cardholder data. If a business accepts or processes payment cards, it must comply with the PCI DSS.

–  PTS (PIN Transac0on Security Requirements): Applies to manufacturers who develop PIN (personal iden0fica0on number) entry terminals used for payment card financial transac0ons.

–  PA-‐DSS (Payment Applica0on Data Security Standards): Applies to so_ware developers and integrators of applica0ons that store, process or transmit cardholder data as part of authoriza0on or sealement.

§  Acronyms –  PCI = Payment Card Industry –  SSC = Security Standards Council –  DSS = Data Security Standards –  CDE = Cardholder Data Environment –  PAN = Personal Account Number

PCI Security Standards (continued) Achieving PCI Compliance

7


§  Initial Certification Process –  External audits or self-‐cer0fica0on, based on company size –  Smaller merchants are able to self-‐cer0fy through a Self-‐Assessment Ques0onnaire (SAQ)

–  Larger enterprises must u0lize a PCI-‐qualified assessor such as a QSA (Qualified Security Assessor) or ASV (Approved Scanning Vendor).

§  Ongoing Monitoring Process –  The merchant must con0nually monitor and update their system in order to maintain compliance.

–  This includes: § On-‐going monitoring and tes0ng of network resources § Regular reviews of system logs and access § Ensuring that device configura0ons and security policies are locked down and can’t be changed without authoriza0on

§ All cri0cal systems have the most recently-‐released so_ware patches within one month to protect against exploita0on by malicious individuals, devices and so_ware

PCI Security Standards (continued)

Achieving PCI Compliance

8


§  Lack of Expertise – Many companies do not have in-‐house exper0se –  PCI Compliance can be a confusing and in0mida0ng process

§  Expense –  The process for obtaining and maintaining PCI-‐compliance is expensive and burdensome.

–  PCI Compliance audi0ng is o_en an expensive, manual process

§  Liability –  Companies that fail to comply with the PCI-‐DSS (Payment Card Industry, Data Security Standards) are subject to fines & lawsuits.

–  Companies that are breached can find themselves in the news headlines, significantly impac0ng goodwill with customers, partners and shareholders.

§  Business Continuity –  Non-‐compliance can result in the customer being banned from processing credit cards.

–  CradlePoint’s largest customers have confirmed that PCI Compliance is one of the most fundamental underpinnings of their business

Customer Pain Points Achieving PCI Compliance

9


§  Requires a System-Wide Approach –  PCI compliance can only be obtained by the merchant . –  PCI auditors analyze the merchant’s en0re system, including POS devices, network devices, servers, applica0ons, policies, & procedures.

–  The PCI-‐DSS requires that the merchant verify that all network equipment (including CradlePoint devices) is properly configured and managed for compliance.

§  Router Certification –  There is no specific specifica0on to enable routers to become “PCI Compliant”. –  CradlePoint conducts “PCI Penetra0on Tes0ng” to ensure that the routers can be confidently used in a PCI-‐Compliant environment.

–  CradlePoint devices do not store any of the data that flows through the device, especially credit card informa0on

Achieving PCI Compliance Achieving PCI Compliance

10


Overview of PCI Requirements & Recommendations Achieving PCI Compliance

11


CradlePoint Enablers Achieving PCI Compliance

12

§ Application Guide – 80-‐page guide for IT professionals – Detailed review of each requirement – CradlePoint enablers – CradlePoint recommenda0ons


PCI-DSS 2.0 Standards Achieving PCI Compliance

13

Goals Requirements

Build and Maintain a Secure Network

1)  Install and maintain a firewall configuration to protect cardholder data. 2)  Do not use vendor-supplied defaults for system passwords and other security

parameters.

Protect Cardholder Data 3)  Protect stored cardholder data. 4)  Encrypt transmission of cardholder data across open, public networks.

Maintain a Vulnerability Management Program

5)  Use and regularly update anti-virus software or programs. 6)  Develop and maintain secure systems and applications.

Implement Strong Access Control Measures

7)  Restrict access to cardholder data by business need to know. 8)  Assign a unique ID to each person with computer access. 9)  Restrict physical access to cardholder data.

Regularly Monitor and Test Networks

10) Track and monitor all access to network resources and cardholder data. 11) Regularly test security systems and processes.

Maintain an Information Security Policy 12) Maintain a policy that addresses information security for all personnel.


Requirement 1 Install & Maintain Firewalls


14

Descrip0on Install and maintain a firewall configura0on to protect cardholder data.

Goal Build and maintain a secure network.

Requirements 1.1 Establish firewall and router configura0on standards.

1.2 Build firewall and router configura0ons that restrict connec0ons between untrusted networks and any system components in the CDE.

1.3 Prohibit direct public access between the Internet and any system component in the CDE.


CradlePoint Recommenda0on Segment the Network into Security Zones


15

Build and Maintain a Secure Network R-1) Install & maintain a firewall configuration to protect cardholder

data.


§  Stateful Packet Inspection –  SPI is a firewall that monitors outgoing and incoming traffic to make sure that only valid responses to outgoing requests are allowed to pass though the router.

–  Proper configura0on hides your LAN from unauthorized external aaackers, so that the router does not respond to unsolicited incoming requests on any port.

§  Port Forwarding Rules –  A port forwarding rule provides a controlled method of opening the firewall to address the needs of specific types of applica0ons.

–  Allows external traffic to reach a computer or device on the inside of the network.

§  Anti-Spoof –  “Spoofed Addresses” are faked source addresses used by a malicious user to either hide themselves or to impersonate someone else.

–  Used to launch a network aaack without revealing the true source of the aaack. –  Used to gain access to network services that are restricted to certain addresses. –  An0-‐Spoof dynamically checks packets to iden0fy probable spoofing aaempts.

CradlePoint Recommenda0on Configure the Firewall


16


data.


§  Packet Normalization –  Normalizing packets helps secure the router in untrusted environments. –  It does so by "scrubbing“ packets that are ambiguous or might represent a break-‐in aaempt.

§  Static NAT Ports –  If enabled, the source port does not translate inbound TCP and UDP packets during NAT.

–  Some NAT traversal protocols such as STUN(T) require that the source port stay the same when traversing the firewall.

§  DMZ Host –  A De-‐Militarized Zone (DMZ ) host is purposely not firewalled. –  Enables any computer on the internet to remotely access network services at that DMZ IP address.

–  Input the IP Address for the DMZ device to ensure that the IP address of the selected device remains consistent.

CradlePoint Recommenda0on Configure the Firewall (continued)


17


data.


§  Disable UPnP –  UPnP (Universal Plug and Play) is a set of networking protocols standardized by the UPnP Forum

–  Enables clients to determine network configura0on and configure the network to allow traffic through the firewall without direct user interac0on.

–  UPnP can simplify the use of consumer devices and other applica0ons that require network configura0on,

–  UPnP can also allow unprivileged users to manipulate network configura0on.

§  Disable WAN Pings – When disabled, the router does not respond to ping requests from external WAN clients.

–  This is o_en used by hackers to probe security vulnerabili0es. §  Use MAC Filtering –  The MAC Filter allows you to create a list of devices that have either exclusive access (white list) or no access (black list) to your wireless LAN.

CradlePoint Recommenda0on Lock Down the Router Entry Points


18


data.


§  Use IP Filter Rules –  "Incoming" IP filter rules restricts remote access to computers on your local network.

–  "Outgoing" IP filter rules prevent computers on your local network from ini0a0ng communica0on to the address range specified in the rule.

–  This feature is especially useful when combined with port forwarding and/or DMZ to restrict remote access to a specified host or network range.

– With an incoming IP filter rule, you can restrict the access to your LAN to only the specific computers or devices authorized to be on the network.

§  Disable Remote Administration –  This prevents external users from accessing the router administra0on web UI through the WAN.

–  CradlePoint recommends using WiPipe Central to manage the routers, since it u0lizes a secure device-‐ini0ated protocol that is less vulnerable to hacking.

–  If you decide that you do want to enable remote admin access, be sure to configure it to require HTTPS on a non-‐standard port.

CradlePoint Recommenda0on Lock Down the Router Entry Points (continued)


19


data.


Requirement 2 Don’t Use Vendor-Supplied Defaults


20

Descrip0on Do not use vendor-‐supplied defaults for system passwords and other security parameters

Goal Build and maintain a secure network.

Requirements 2.1 Always change vendor-‐supplied defaults before installing a system on the network,

including but not limited to passwords, simple network management protocol (SNMP) community strings, and elimina0on of unnecessary accounts.

2.2 Develop configura0on standards for all system components. Assure that these standards address all known security vulnerabili0es and are consistent with industry-‐accepted system hardening standards.

2.3 Encrypt all non-‐console administra0ve access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-‐based management and other non-‐console administra0ve access.

2.4 Shared hos0ng providers must protect each en0ty’s hosted environment and cardholder data.


§  CP’s Enhanced Password Protection –  For out-‐of-‐box security, CradlePoint products do not ship with a generic default password.

–  Each router has a unique password that u0lizes a por0on of the router’s MAC address.

§  PCI-DSS Still Requires Pwd Change –  PCI-‐DSS Requirement 2.1 requires that the merchant change the default password on the router.

–  Even though the CradlePoint passwords are unique to each individual router, CradlePoint recommends that the customer select a new unique password for each device that is only known to system administrators with a need-‐to-‐know.

§  WiPipe Central –  Enables password management from a centralized loca0on, elimina0ng the need to log into each router to change the password.

CradlePoint Recommenda0on Change the Default Passwords


21

Build and Maintain a Secure Network R-2) Do not use vendor-supplied defaults for system passwords


Requirement 3 Protect Stored Cardholder Data


22

Descrip0on Protect stored cardholder data

Goal Protect stored cardholder data

Requirements 3.1 Keep cardholder data storage to a minimum by implemen0ng data reten0on and

disposal policies, procedures and processes. 3.2 Do not store sensi0ve authen0ca0on data a_er authoriza0on (even if encrypted). 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number

of digits to be displayed). 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media,

backup media, and in logs). 3.5 Protect any keys used to secure cardholder data against disclosure and misuse. 3.6 Fully document and implement all key-‐management processes and procedures for

cryptographic keys used for encryp0on of cardholder data.


§  Network Segmentation –  Par00on network resources into individual “Network Segments”, such as: –  Resources on one network segment are securely par00oned from other segments –  Enables a single router & WAN to be used for mul0ple purposes

§  Resource Assignment –  Each network segment can be assigned individual network resources, including:

§ Ethernet ports § WiFi SSIDs § VLANs

–  Each Network Segment can be configured with its own §  IP Address configura0on (sta0c, dynamic, range) § Rou0ng Mode (NAT, non-‐NAT, Public Hotspot/Cap0ve Portal) § Access Control (Admin Access, LAN Isola0on, etc) §  Interfaces (choose from WiFi SSIDs, Ethernet Groups and VLANs)

CradlePoint Recommenda0on Minimize Resources within CDE Network Segment


23

Protect Cardholder Data R-3) Protect stored cardholder data.


Requirement 4 Encrypt Transmission of Cardholder Data


24

Descrip0on Encrypt transmission of cardholder data across open, public networks.

Goal Protect cardholder data

Requirements 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH,

etc.) to safeguard sensi0ve cardholder data during transmission over open, public networks.

4.2 Never send unprotected PANs by end-‐user messaging technologies (for example, e-‐mail, instant messaging, chat, etc.).

Note: §  The use of WEP as a security control was prohibited as of 30 June 2010.

Protect Cardholder Data R-4) Encrypt cardholder data across open, public networks.


§  Virtual Private Network (VPN) –  VPN tunnels are used to establish a secure connec0on to a remote network over a public network.

–  For example, VPN tunnels can be used across the internet by an individual store loca0on to connect to the corporate data center or by two individual store loca0ons to func0on as if connected with one network.

–  The two networks set up a secure connec0on across the (normally) unsecure internet by assigning VPN encryp0on protocols.

§  Generic Routing Encapsulation (GRE) –  GRE tunnels can be used to create a connec0on between two private networks. –  CradlePoint routers support both GRE and VPN tunnels. –  GRE tunnels are simpler to configure and more flexible for different kinds of packet exchanges, but VPN tunnels are much more secure.

CradlePoint Recommenda0on Create Secure WAN Connectivity


25



§  Internet Protocol security (IPsec) –  CradlePoint routers uses IPsec (Internet Protocol security) to authen0cate and encrypt packets exchanged across the tunnel.

–  To set up a VPN tunnel with a CradlePoint router on one end, there must be another device (usually a router) that also supports IPsec on the other end.

§  Internet Key Exchange (IKE) –  IKE is the security protocol in IPsec. –  IKE has two phases, Phase 1 and Phase 2. –  CradlePoint routers have several different security protocol op0ons for each phase, but the default selec0ons will be sufficient for most users.

CradlePoint Recommenda0on Create Secure WAN Connectivity (continued)


26



Requirement 5 Use Anti-Virus Software


27

Descrip0on Use and regularly update an0-‐virus so_ware or programs.

Goal Maintain a vulnerability management program.

Requirements 5.1 Deploy an0-‐virus so_ware on all systems commonly affected by malicious so_ware

(par0cularly personal computers and servers). 5.2 Ensure that all an0-‐virus mechanisms are current, ac0vely running, and genera0ng

audit logs.


Requirement 6 Develop & Maintain Secure Systems & Apps


28

Descrip0on Develop and maintain secure systems and applica0ons.

Goal Maintain a vulnerability management program.

Requirements 6.1 Ensure that all system components and so_ware are protected from known

vulnerabili0es by having the latest vendor-‐supplied security patches installed. Install cri0cal security patches within one month of release.

6.2 Establish a process to iden0fy and assign a risk ranking to newly discovered security vulnerabili0es.

6.3 Develop so_ware applica0ons in accordance with PCI DSS and based on industry best prac0ces.

6.4 Follow change control processes & procedures for all changes to system components. 6.5 Develop applica0ons based on secure coding guidelines. Prevent common coding

vulnerabili0es in so_ware development. 6.6 For public-‐facing web applica0ons, address new threats and vulnerabili0es on an

ongoing basis and ensure these applica0ons are protected against known aaacks.


§  Rationale –  Hackers use security vulnerabili0es to gain privileged access to systems. –  The PCI-‐DSS 2.0 document recognizes that providers of system component (including network devices) regularly test for new vulnerabili0es.

–  Component providers regularly issues so_ware upgrades to address these issues.

§  PCI Requirement 6.1 – Mandates that all cri0cal systems must have the most recently released, appropriate so_ware patches to protect against exploita0on and compromise of cardholder data by malicious individuals and malicious so_ware.

–  Requires that cri0cal so_ware patches must be installed within 1 month of release.

§  WiPipe Central – Firmware Management – WiPipe Central enables each device group to have a firmware version selected to be used on all devices in the group.

–  Network administrators can choose the firmware version for a given group to use by selec0ng it from the list.

–  The facility allows the firmware version to be downgraded as well as upgraded. –  If any devices are upgraded, either accidentally or without authoriza0on, WiPipe Central will automa0cally reverse the upgrade.

–  x

CradlePoint Recommenda0on Keep Device Firmware Updated with WiPipe Central


29

Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications.


§  Centralized Configuration Management –  Enables group management of deployed routers –  Group configura0on ensures that routers are consistently configured –  Enables central control of device configura0on

§  Prevent Unauthorized Changes –  If individual router configura0ons are accidentally or maliciously changed, WiPipe Central detects and reverses the change

–  Enables administrators to ensure that router configura0ons are “locked down”.

§  Require Changes to be made through WiPipe Central –  Creates and audit log for access & control

CradlePoint Recommenda0on Lock Down the Configuration with WiPipe Central


30

Maintain a Vulnerability Management Program R-6) Develop and maintain secure systems and applications.


Requirement 7 Restrict Access to Cardholder Data


31

Descrip0on Restrict access to cardholder data by business need to know.

Goal Implement strong access control measures.

Requirements 7.1 Limit access to system components and cardholder data to only those individuals

whose job requires such access. 7.2 Establish an access control system for systems components with mul0ple users that

restricts access based on a user’s need to know, and is set to “deny all” unless specifically allowed.


Requirement 8 Assign Unique IDs to Each Person w/ Access


32

Descrip0on Assign a unique ID to each person with computer access.


Requirements 8.1 Assign all users a unique ID before allowing them to access system components or

cardholder data. 8.2 In addi0on to assigning a unique ID, employ methods to authen0cate all users:

password or passphrase, token device or smart card, biometric. 8.3 Incorporate two-‐factor authen0ca0on for remote access (network-‐level access

origina0ng from outside the network) to the network by employees, administrators, and third par0es.

8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography.

8.5 Ensure proper user iden0fica0on and authen0ca0on management for non-‐consumer users and administrators on all system components.


Requirement 9 Restrict Physical Access to Cardholder Data


33

Descrip0on Restrict physical access to cardholder data


Requirements 9.1 Use appropriate facility entry controls to limit and monitor physical access to systems in the

cardholder data environment. 9.2 Develop procedures to easily dis0nguish between onsite personnel and visitors, especially in

areas where cardholder data is accessible. 9.3 Make sure all visitors are authorized, given a badge, and badge collected on exit. 9.4 Use a visitor log to maintain a physical audit trail of visitor ac0vity. 9.5 Store media back-‐ups in a secure loca0on, preferably an off-‐site facility, such as an alternate

or back-‐up site, or a commercial storage facility. Review the loca0on’s security. 9.6 Physically secure all media. 9.7 Maintain strict control over the internal or external distribu0on of any kind of media. 9.8 Ensure management approves any and all media that is moved from a secured area 9.9 Maintain strict control over the storage and accessibility of media. 9.10 Destroy media when it is no longer needed for business or legal reasons.


Requirement 10 Regularly Monitor and Test Networks


34

Descrip0on Regularly monitor and test networks.

Goal Track and monitor all access to network resources and cardholder data.

Requirements 10.1 Establish a process for linking all access to system components (especially access

done with administra0ve privileges such as root) to each individual user. 10.2 Implement automated audit trails for all system components to reconstruct the

various important events named in the Requirements. 10.3 Record audit trail entries for all system components for each event as defined. 10.4 Using 0me-‐synch technology, synchronize all cri0cal system clocks & 0mes and

ensure that the following is implemented for acquiring, distribu0ng, & storing 0me. 10.5 Secure audit trails so they cannot be altered. 10.6 Review logs for all system components at least daily. Log reviews must include those

servers that perform security func0ons like intrusion-‐detec0on system (IDS) and authen0ca0on, authoriza0on, and accoun0ng protocol (AAA) servers.

10.7 Retain audit trail history for at least one year, with a minimum of three months immediately available for analysis (ie, online, archived, or restorable from back-‐up).


§  System Logs as an Audit Trail –  The router automa0cally logs (records) events of possible interest in its internal memory.

–  The log op0ons allow you to filter the router logs based on categories, allowing customiza0on of the types and level of events to record and the level of events to view.

–  System logs are can be used to iden0fy § Unauthorized login aaempts § Unauthorized configura0on changes § Penetra0on aaempts § Security aaacks

§  Persistence Preserves the Audit Trail –  U0lize the WiPipe Central to centrally synchronize and store the system logs. –  Alterna0vely, the router can be configured to communicate with an external Syslog Server

CradlePoint Recommenda0on Utilize an External SysLog Server


35

Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data.


§  Time Synchronization –  Configure routers to communicate with an external Time server – Makes it more difficult to change system logs or hide aaacks –  Network Time Protocol (NTP) enables the router to synchronize its system 0me with a remote server on the internet.

–  NTP is an important part of using System Logs to accurately monitor PCI Compliance.

§  NTP Server Options –  pool.ntp.org –  0me.nist.gov –  0me-‐windows.com

CradlePoint Recommenda0on Utilize an External Time Server


36

Regularly Monitor and Test Networks R-10) Track & monitor all access to network resources & cardholder data.


Requirement 11 Test Security Systems and Processes


37

Descrip0on Regularly test security systems and processes.

Goal Track and monitor all access to network resources and cardholder data.

Requirements 11.1 Test for the presence of wireless access points and detect unauthorized wireless

access points on a quarterly basis. 11.2 Run internal and external network vulnerability scans at least quarterly and a_er

any significant change in the network (such as new system component installa0ons, changes in network topology, firewall rule modifica0ons, product upgrades).

11.3 Perform external and internal penetra0on tes0ng at least once a year and a_er any significant infrastructure or applica0on upgrade or modifica0on.

11.4 Use intrusion-‐detec0on systems, and/or intrusion-‐preven0on systems to monitor all traffic at the perimeter of the CDE as well as at cri0cal points inside of the CDE, and alert personnel to suspected compromises.

11.5 Deploy file-‐integrity monitoring tools to alert personnel to unauthorized modifica0on of cri0cal system files, configura0on files, or content files; and configure the so_ware to perform cri0cal file comparisons at least weekly.


Requirement 12 Information Security Policy for Personnel


38

Descrip0on Maintain a policy that addresses informa0on security for all personnel.

Goal Maintain an informa0on security policy.

Requirements 12.1 Establish, publish, maintain, and disseminate a security policy. 12.2 Develop daily opera0onal security procedures. 12.3 Develop usage policies for cri0cal technologies (for example, remote access, wireless) and

define proper use of these technologies. 12.4 Ensure that the security policy and procedures clearly define informa0on security

responsibili0es for all personnel. 12.5 Assign to an individual or team defined informa0on security management responsibili0es: 12.6 Implement a formal security awareness program to make all personnel aware of the

importance of cardholder data security. 12.7 Screen poten0al personnel prior to hire to minimize the risk of aaacks from internal sources. 12.8 If cardholder data is shared with service providers, maintain and implement policies and

procedures to manage service providers. 12.9 Implement an incident response plan. Be prepared to respond immediately to a system

breach.


Summary of Recommendations Achieving PCI Compliance

39

§  Step 1: Segment the network into individual “security zones”

§  Step 2: Configure the firewall

§  Step 3: Lock down the router entry points

§  Step 4: Change the default passwords

§  Step 5: Minimize resources within CDE network segment

§  Step 6: Create secure WAN connec0vity

§  Step 7: Keep device updated with the latest firmware using WPC

§  Step 8: Lock down the configura0on with WiPipe Central

§  Step 9: Configure communica0on with an external SysLog server

§  Step 10: Configure communica0on with an external Time server

§  Step 11: Monitor PCI Compliance with WiPipe Central


§  CradlePoint Enablers for PCI Compliance –  CradlePoint routers provide several features to enable compliance with the PCI-‐DSS 2.0 requirements

–  PCI Compliance requires routers to be properly configured, monitored & maintained. – WiPipe Central’s PCI Compliance Monitoring applica0on enables customers to demonstrate compliance in real-‐0me, not just for the quarterly or annual audits.

§  CradlePoint can Help –  The “CradlePoint Enablers for a PCI Complaint System” applica0on note provides details regarding CradlePoint features and capabili0es that have been used by other customers to help achieve PCI Compliance for their end-‐to-‐end systems.

–  CradlePoint professional services can guide customers through the installa0on, configura0on and monitoring process

§  Proven Success –  CradlePoint devices are u0lized in several large-‐scale, PCI-‐compliant deployments.

Achieving PCI Compliance Achieving PCI Compliance

40


Questions?

[email protected] www.CradlePoint.com

41

www.cradlepoint.com www.cradlepoint.com/WiPipe

www.cradlepoint.com/ 4g-‐3g-‐network-‐solu0ons/

case-‐studies

Ken Hosac VP Business Development

Rudy Cedillo Sr. Enterprise Support Engineer


§ PCI Compliance Monitoring applica0on for WiPipe Central, to manage configura0on, firmware updates and monitor usage.

§ Network Segmenta0on (Ethernet, SSID and VLAN)

§ Ethernet ports (4) that can be individually assigned to specific segments

§ WiFi SSIDs (4) that can be individually secured and assigned to specific segments

§ Virtual LAN support and tagging (VLAN)

§ Stateful Packet Inspec0on (SPI) § Network Address Transla0on (NAT) § Applica0on Level Gateways (ALG) § Inbound filtering of IP addresses

§ De-‐Militarized Zone (DMZ) § Virtual Server § Ability to disable WAN services (ping, WNMP, web-‐based mgmt, etc)

§ MAC filtering § Session filtering (non-‐UDP/TCP/ICMP)

§ Layer 2 Tunneling Protocol (L2TP) § VPN Client with support for up to 20 tunnels (product-‐specific)

§ IPSec § GRE § WiFi security (WPA/WPA2 Personal/Enterprise, AES/TKIP)

§ RADIUS user authen0ca0on on WiFi § SysLog support § Aler0ng

Key Solution Features for PCI Compliance Achieving PCI Compliance

42

Technology

11 Strategies to Deploy PCI Compliant Networks