PCI DSS Compliance and the Digi TransPort Router

Transcription

1 PCI DSS Compliance and the Digi TransPort Router White Paper Abstract This paper explains how Digi TransPort routers can be part of a PCI DSS compliant system. They comply with the PCI DSS version 1.2 requirements via these major features: Stateful inspection firewall Network segmentation via VLAN or Ethernet Port Isolation MAC filtering to prevent unwanted client PCs on the network Encryption and authentication via IPsec, IKE, SSL, SSH and X.509 certificates Configurable user levels and remote authentication Full event logging, which can be stored via Syslog, including event alarm support

2 Introduction Anyone who deals with credit/debit card transactions, from retail/pos merchants, to banks, to kiosks, should already be aware of the Payment Card Industry Data Security Standards (PCI DSS) requirements. PCI DSS version 1.2, which began Stage 1 on October 1, 2008, helps define and clarify these requirements. This paper will take each of the applicable requirements and explain why the Digi TransPort router can be a key component in a PCI compliant system. Some important notes: These requirements are subject to interpretation. A Qualified Security Assessor (QSA), Approved Scanning Vendor (ASV) or auditor may interpret the rules differently, find vulnerabilities or make recommendations that may exceed or appear different from the PCI DSS requirements. In almost all cases, the Digi TransPort can be configured to meet these different interpretations. There are no specific PCI device certifications other than for PIN Entry Devices (PEDs). No other devices, including network devices like the Digi TransPort, require PCI certification; however, they must be secured and managed in such a way as to be part of a complete PCI compliant system. Security standards such as NIST and FIPS may be also recommended by a QSA or ASV; PCI does not require, for example, FIPS-140, ICSA or other certification for devices. Other Digi products, such as the Digi Connect WAN, may also be considered part of a PCI compliant network depending on how they are used. For example, if a private wireless WAN plan is used, then the stateful firewall and other security mechanisms are at the edge of the carrier s network, not at the remote location itself. Or, if the Digi Connect router is used in IP pass-through mode (i.e., bridge mode) where it is connected to another primary router, then the security falls mainly on that primary router. A guide to securing Digi Connect devices is available at Most importantly, it is up to the user to properly configure, monitor and maintain devices and systems in such a manner so as to make them part of a compliant system. Full PCI DSS requirements are available via the PCI official website: Following is a summary of the 12 requirements, which are addressed in detail below: Build and Maintain a Secure Network Requirement 1: Install and maintain a firewall configuration to protect cardholder data Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data Requirement 3: Protect stored cardholder data Requirement 4: Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Use and regularly update anti-virus software Requirement 6: Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need-to-know Requirement 8: Assign a unique ID to each person with computer access Requirement 9: Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Track and monitor all access to network resources and cardholder data Requirement 11: Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security 2

3 3G/GSM PSTN ISDN 0 SERIAL SIM 1 SIM 2 White Paper Digi TransPort Overview Digi has been in the business of supplying communications devices to retail/point-of-sale (POS), kiosk, banking and ATM markets since It began with the well-known DigiBoard, which is still used today in many POS applications, and now includes our terminal servers, USB products, IP routers and many other Digi communications products. In 2008, Digi acquired Sarian Systems, a leader in the European enterprise router market. Sarian routers are now sold in the Americas under the Digi TransPort name. The Digi TransPort family of upgradeable cellular routers provides secure high-speed wireless and ADSL connectivity to remote sites and devices. These routers can be used for primary wireless and/or ADSL broadband network connectivity or backup to existing landline communications. Digi TransPort stands apart from the competition with its advanced routing, firewall and security features including stateful firewall inspection and integrated VPN. Enterprise-class protocols incorporate BGP, OSPF and VRRP+, a patented technology built upon the popular VRRP fail-over standard providing auto sensing, auto failover and auto recovery of any routing failures. Full details on the Digi TransPort router family are available at Requirement 1: Install and Maintain a Firewall Digi TransPort has a flexible, stateful inspection firewall that is unusually powerful for this class of device. Most devices in this product class have simple on/off options in their firewalls. Digi TransPort supports full scripting and can be tailored to suit most firewall implementation requirements. Dynamic filters are more secure because session information is constantly monitored to track and match requests and replies. In addition, the firewall will automatically verify that the correct flags are being used for each stage of the communication. There is more to Requirement 1 than simply providing a firewall. Network Address Translation is also called out in this requirement. Digi TransPort provides RFC 1918 NAT and NAPT on any interface to hide private IP addresses from the Internet and translate those addresses into the public address of a public WAN interface. NAT by its very nature blocks any unsolicited inbound traffic not destined for the router itself. Digi TransPort has a simple option to disallow any external remote management on an interface. Several Requirement 1 sub-sections speak about DMZ. Requirement states that a firewall is to be installed at each Internet connection and between any DMZ and the internal network zone. Digi TransPort provides several mechanisms to enable segregating DMZ traffic. PCI Compliant Remote Site Solution Digi TransPort s stateful firewall can block, pass and/or redirect* traffic as needed based on IP address and/or service port using firewall rules and/or NAT port forwarding. Static NAT mapping is also possible. (* Redirection can also be used for WAN failover where firewall rules are used to test the health of the primary WAN connection and then redirect that traffic via another interface.) The built-in 4-port Ethernet switch on Digi TransPort DR and SR models provides easy segmentation for up to four distinct and separate networks each with its own DHCP server if desired. This is called port isolation mode. One or more of these networks can be designated as a DMZ where Digi TransPort s routing and firewall can segregate the traffic as required. For example, one can easily put POS devices on a separate network from the back-office system as shown in the diagram. VLAN tagging is supported for network segmentation when only one IP subnet is used (e.g., the store has one IP network using /24 and Ethernet port isolation is not being used) or only one Ethernet port is available as in the Digi TransPort WR model. VLAN tagging prevents traffic from one VLAN being Credit Card Processor Credit Card Terminal Cellular or ADSL WAN Digi TransPort SR LAN SIGNAL D B1 B2 ON NET SIM DAT OH CD DAT 1 Back Office/ Manager Headquarters Digi TransPort POS Terminal Digi TransPort allows network segmentation for credit card traffic providing full PCI compliance. Credit card transactions Standard business traffic POS traffic (e.g., inventory updates) 3

4 visible on another VLAN. Requirement 1 also states to secure and synchronize router configuration files. Digi s Remote Manager application can be used to store and compare configuration files. Some third party applications can be also used to analyze and compare Digi TransPort s text based configuration files. The Event Log can be configured to send an alert if changes are made or when someone logs into the Digi TransPort to help further secure the Digi TransPort s configuration. Perimeter firewalls can be installed between wireless networks and the cardholder data environment, and configured to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. Wi-Fi: Digi TransPort DR has a Wi-Fi access point option. This interface can be firewalled and segmented just like any Digi TransPort Ethernet or PPP interface. WPA/WPA2 security and MAC address filtering are also supported. Cellular: The cellular PPP instance appears as a WAN interface and can be segmented and firewalled as needed. Interfaces can also be set to not allow management connections. Below is a sample of a Digi TransPort firewall rule. The local network is on subnet Any packets received on PPP 0 (which could be either a DSL or cellular WAN connection) that are masquerading to be on the local network (i.e., from ) are to be blocked. The receipt of any such packets needs to be entered into the local firewall log and to a Syslog server. The filter rule would be constructed as follows: block in log syslog break end on ppp 0 from /16 to any The rule broken down is: block: Block the traffic in: The traffic is inbound log syslog: Log this to the Event Log and Syslog (can optionally set an alarm) break end: If the rule matches, stop processing and go to the end of the rule-set on ppp 0: The traffic is coming in on interface ppp 0 (i.e., a WAN interface) from /16: This is the masqueraded source address to any: The packet is destined for any address Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters Most of this requirement is directed at the user to properly secure the device by changing appropriate settings. The most obvious is changing the default username and password. Other parameters, such as encryption settings for Wi-Fi, also need to be changed from default. Digi TransPort routers provide complete control over these settings. WPA2 is supported for Wi-Fi (WEP is no longer allowed by PCI DSS as of March 31, 2009 for new installations). IP Services can either be disabled or access blocked via firewall rules. Multiple users can be configured on the device with various access levels and can optionally be authenticated via RADIUS or TACACS+. Requirement 3: Protect Stored Cardholder Data Digi TransPort devices do not store cardholder data with the possible exception of when the Analyser is used. The Analyser is a powerful layer one and two protocol diagnostic tool that allows frames to be analyzed via text or Wireshark capture files. This feature can be configured so that the Analyser trace stores only the first nn bytes of every transmission, thereby allowing some diagnostics (albeit limited) without storing sensitive cardholder data. The analyser can be disabled altogether and/or configured for only certain interfaces and protocol layers. Requirement 3 also speaks to cryptographic keys. Digi TransPort supports X.509 certificates including SCEP support. IKE key management for IPsec is also available via pre-shared keys or certificates. These mechanisms ensure proper authentication and secure transmission of card data. 4

5 Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks IPsec and SSL are provided on Digi TransPort to protect and authenticate data transmission. 3DES and AES encryption up to 256 bits and SHA-1 authentication hash algorithm are supported. As mentioned above, X.509 digital certificates and SCEP are supported for authentication. PCI DSS barely mentions cellular wireless WAN technology, which operates quite differently from Wi-Fi. Wireless WAN is worth noting here since requirement 4 speaks to protecting the traffic across a public network. Wireless WANs work much like DSL, cable modems or other wired broadband connections. Wireless WAN IP Addressing and Secure Connectivity Options Work with your carrier to obtain a plan that meets your security needs and your budget. A wireless WAN provider may offer plans that greatly enhance security. Following are three carrier-related options that can help with securing data traffic across the Wireless WAN: 1. Use a plan that blocks some or all traffic into the mobile (i.e., cellular) network. For example, some carriers have plans which allow only remote initiated traffic; firewalls inside the carrier network block any unsolicited inbound traffic. However, this type of plan cannot be used if your application requires you to reach out to the remote site to poll an ATM (some carriers call this mobile terminated data), for example, unless IPsec VPN is used from the mobile device. Other carrier plans may block only some traffic such as HTTP on port 80 or pings, or use restricted IP addresses where they use public IP addresses but access is restricted internally by the carrier. 2. Use a completely private plan. Here, the carrier supplies a direct connection into your network via private circuit, usually by Frame Relay, MPLS or IPsec VPN, which is known only to you. This means that devices not owned by you cannot attach to your private part of the cellular network. In many cases, private IP addresses can be assigned to the Digi TransPort s mobile interface and controlled by you, the customer, and the data never touches the Internet. 3. Use dynamic mobile IP addresses but do not use Dynamic DNS. This, however, will likely restrict your application to only outbound initiated connections. (A side benefit to 1 and 2 above is that these plans also block any unwanted billable traffic and can therefore save money. Any connection attempt that traverses the wireless carrier network to the mobile IP address can be viewed as billable traffic, even if the mobile device blocks the connection attempt.) Radio Frequency (RF) and Modem Security: How the Device is Identified and Authenticated Depending on the wireless technology used (GSM vs. CDMA) and the carrier, there are several ways the Digi cellular device is identified and authenticated on the cellular network. GSM devices use a Subscriber Identity Module (SIM), which is typically the first level of identification to the network. The modem s International Mobile Equipment Identity (IMEI), i.e., the modem serial number, can also be used to identify the device. Other information such as plan/apn name, username and password may also be required and are configured in the mobile settings on the Digi device. CDMA modems do not use a SIM (at least in most of the world). Instead, they are identified on the network by the modem s electronic serial number (ESN) and possibly additional information such as service programming code or master subsidy lock (SPC/MSL), username and password. Over the Air (OTA) Security The link between the embedded modem and the cellular base station (tower), and possibly farther into the wireless carrier network, is encrypted. Different carriers and technologies will use various types and levels of encryption, typically 128-bit or greater for 3G devices. Frequency and code hopping also make it virtually impossible to eavesdrop on a cellular connection even at 64-bit encryption. Check with your carrier for specifics on what security mechanisms they employ. Requirement 5: Use and Regularly Update Anti-Virus Software or Programs Digi TransPort is a network device, not a server or PC workstation. Digi TransPort uses Sar/OS, a purpose-built proprietary operating system (commonly called firmware ). Sar/OS is not a derivative of a general purpose operating system such as Linux 5

6 and is therefore not susceptible to viruses, Trojans, worms, etc. Requirement 6: Develop and Maintain Secure Systems and Applications Most of Requirement 6 is aimed at the user maintaining and testing applications and systems. As noted in Requirement 5 above, Digi TransPort routers use a proprietary, closed operating system and are free from vulnerabilities known to operating systems used by most systems and devices. However, that does not mean there will never be software updates or patches. Digi strives diligently to update our device operating firmware in accordance to customer needs. Firmware updates are available via Digi support sites and are provided free of charge. Digi s optional Remote Manager system has the ability to regularly scan the state of devices and report where there is a delta between what should be on the device and what is actually on the device. This will automatically bring attention to any attempt at configuration changes or hacking. For example, if an unauthorized user has managed to create a backdoor password, Remote Manager will identify this and send an alert. The Event Log can also be configured to alarm if any changes are made to the device. Requirement 7: Restrict Access to Cardholder Data By Business Need-to-Know A trained network engineer able to access a remote Digi TransPort device could, in theory, see cardholder data in transit between the application and the host using the Analyser. It is therefore important that access to the devices be restricted and any attempt to circumvent this is flagged. User authentication can be accomplished via TACACS+ or RADIUS. Only currently authorized logins are allowed to access the device and all access is logged in the Event Log which provides an extra layer of security. User access to cardholder data can also be controlled to a degree by MAC filtering, VPN and firewall policies. For example, a VPN policy could be defined to limit what client IP addresses have access to the remote network. MAC filtering can be used to prevent an unauthorized laptop from gaining access to the Digi router. The DHCP server(s) can also be disabled and/or configured in such a way as to make guessing the appropriate LAN IP address the only way to connect to the router. Digi TransPort routers support time bands which are used to determine periods of time during which routing is allowed or prevented. For example, a store router could be configured so routing is allowed only during working hours. At present, time bands may only be applied to PPP instances used with cellular and ADSL WAN connections. Requirement 8: Assign a Unique ID to Each Person with Computer Access As per requirement 7, TACACS+/RADIUS authentication prevents unauthorized access. In addition, the Digi TransPort can store multiple user logins each with an assigned authority level. In particular, only users with "Super" access level can create logins for other users. Read-only users can also be created. Requirement 9: Restrict Physical Access to Cardholder Data This requirement depends heavily on the user being sensible about placement of the devices. For example, it is not uncommon to see Digi routers placed behind store counters where casual staff and consumers could have physical access; this is clearly undesirable. The first thought is to lock the Digi router in the wiring closet or back office. This makes sense from a physical security perspective, but not always from an RF signal perspective when using a cellular data network. All Digi cellular devices enable remote antennas to be used so that the router can remain secure whilst still providing optimum signal quality. Keep a list of MAC and IP addresses, ESNs/IMEIs, SIM IDs and associated phone numbers so that devices can be disabled by the carrier in the event of theft. Antenna security is also important. When necessary, mount external antennas securely to prevent theft and weather damage. Non-obtrusive, low-profile antennas are available from various sources. 6

7 In cases where the Digi router is in a visible location, physical access to the router can be minimized. First, the console port(s) can be disabled to prevent unauthorized local access. Firewall and/or MAC filtering can be configured to make any unused Ethernet ports inaccessible except for allowed traffic. USB ports can be disabled (note there is no user login access to the TransPort via USB; USB ports are for devices such as GPS receivers and expanded memory). Companies such as Panduit manufacture RJ-45 hardware locks that cover open jacks and can only be removed with special tools. Additionally, each power up can be reported via Syslog to a central server so that the reason for the disconnection can be investigated. Requirement 10: Track and Monitor All Access to Network Resourcesand Cardholder Data The Digi TransPort event log tracks access and changes to the device. The event log can be saved to Syslog. The event log is fully configurable so that some events can be logged while others are omitted. For example, logging of user access and changes is needed but not ADSL or cellular events. Events can also be configured to raise alarms via the event handler. Alarms can be sent via , SNMP and (on certain models) SMS text messages. Time synchronization can be done via NTP or SNTP on the Digi TransPort and in some cases via the cellular network itself. Requirement 11: Regularly Test Security Systems and Processes Testing systems and processes is up to the user, auditor or an Approved Scanning Vendor (ASV) to perform. The Digi TransPort event and firewall logs and Analyser can help in tracking and diagnosing network traffic issues. Configuration file integrity can be verified by any number of tools. The Digi TransPort configuration files are flat text files that should be readable by any of the compliance tools available. Remote Manager can also be used to detect changes in configurations from the norm. If a Digi TransPort router is on the Internet (see above about using private data plans), it will likely be subjected to connection attempts on a daily basis by things such as automated hacker scripts just like any other Internet connected router. Many of these tools will attempt to take advantage of known security problems with operating systems, applications and even routers. They also attempt to connect using default usernames and passwords, etc. Detecting these attacks on the Digi TransPort itself can be done using several mechanisms, such as alarming via the Event and Firewall logs. However, the key is to prevent the attack by properly configuring the Digi TransPort s firewall rules and enabling the block remote access option on WAN interfaces. Requirement 12: Maintain a Policy that Addresses Information Security The user s responsibility is to create and maintain effective security policies. The Digi TransPort s simple text-based configuration files and event logs make it easy to view and confirm that they adhere to the policies. Remote Manager is also an effective tool to aid in assuring Digi TransPort configurations adhere to the security policies. Digi TransPort event alarms can be used to alert personnel of any problems or changes to configurations. Summary When properly configured, Digi TransPort routers meet the requirements of PCI DSS because they provide the stateful firewall, network segmentation via VLAN or Ethernet Port Isolation, network data encryption, authentication, and full event logging and alarming. More information can be obtained from at info@digi.com France KK (HK) Limited the leader in device networking for business, develops reliable products and technologies to connect and securely manage local or remote electronic devices over the network or via the web. With over 20 million ports shipped worldwide since 1985, Digi offers the highest levels of performance, flexibility and quality. info@digi.com 2009 Inc. Inc. Digi,, the Digi logo, the Making Wireless M2M Easy logo, Digi Connect and Digi TransPort are trademarks or registered trademarks of Inc. in the United States and other countries worldwide. All other trademarks are the property of their respective owners A2/709 7