Learn how the Juniper vgw Virtual Gateway can help organizations meet PCI Compliance for Virtualized Environments

Transcription

1 WHITE PAPER Meeting PCI Compliance for Virtualized Environments Learn how the Juniper vgw Virtual Gateway can help organizations meet PCI Compliance for Virtualized Environments Copyright 2011, Juniper Networks, Inc. 1

2 Table of Contents Executive Summary Introduction Overview of PCI DSS Table 1: PCI Data Security Standard (DSS) Requirements PCI DSS v2.0 and the Virtualization Special Interest Group (SIG) Achieving Compliance Working with QSAs How the Juniper Networks vgw Virtual Gateway Can Help Meet PCI DSS and Virtualization SIG Guidelines Table 2: PCI DSS and SIG Guidance Requirements Supported by Juniper vgw Virtual Gateway Conclusion About Juniper Networks Copyright 2011, Juniper Networks, Inc.

3 Executive Summary This document highlights the PCI Data Security Standard (DSS) as it relates to virtualized environments, summarizes the PCI SIG Virtualization Guidelines requirements, and explains how Juniper Networks vgw Virtual Gateway can help organizations with virtualized environments stay in compliance. Introduction Overview of PCI DSS The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards. Defined by the Payment Card Industry Security Standards Council (PCI SSC), the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure. Validation of compliance is done annually either by an external Qualified Security Assessor (QSA) for organizations that handle large volumes of transactions or by Self- Assessment Questionnaire (SAQ) for companies that handle smaller volumes. PCI DSS originally began as five separate programs namely Visa Card Information Security Program (CISP), MasterCard Site Data Protection(SDP), American Express Data Security Operating Policy (DSOP), Discover Information Security and Compliance (DISC), and the JCB Data Security Program. All five companies had a common goal, which was to create an additional level of protection for card issuers by ensuring that merchants meet minimum levels of security when they store, process and transmit cardholder data. Ultimately, the PCI SSC was formed, and on December 15, 2004, those companies aligned their individual policies and collectively released the PCI DSS. Since then, the standard has been updated and revised a few times in an effort to provide further clarity and consistency among the standards and supporting documents, address evolving risks/threats, and improve flexibility. The PCI SCC has established 12 requirements for any business that stores, processes, or transmits payment cardholder data. These requirements are summarized in Table 1 below. Table 1: PCI Data Security Standard (DSS) Requirements Goals Build and Maintain a Secure Network PCI DSS Requirement Validated by Self or Outside Assessment (through a QSA) 1. Install and maintain a firewall configuration to protect cardholder data 2. do not use vendor-supplied defaults for system passwords and other security parameters Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software or programs 6. Develop and maintain secure systems and applications Implement Strong Access Control Measures 7. Restrict access to cardholder data by business need to know 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information security for all personnel More information is available at the below locations: Copyright 2011, Juniper Networks, Inc. 3

4 PCI DSS v2.0 and the Virtualization Special Interest Group (SIG) The current version of the PCI DSS standard is version 2.0, which was released on October 26, This version of the standard was supposed to be adopted by all organizations with payment card data by January 1, 2011, and starting on January 1, 2012, QSAs have to assess organizations based on this version. One of the notable changes between the most recent version, 1.2.1, and v2.0 is the inclusion of virtualization components in the Scope section and within requirement of the standard. What this suggests is that recognizing that more and more organizations have either adopted or are planning to adopt virtualization as part of their PCI environments, the PCI SSC thought this merited providing some guidance akin to what is currently in the standard for physical environments for virtualized environments. In addition to including some guidance on virtualization in the PCI DSS standard itself, the PCI SSC formed a virtualization Special Interest Group (SIG) that examined some of the issues and challenges posed to PCI DSS compliance in virtualized environments. This group, which began meeting in the fall of 2008, brought together security vendors, practitioners, banks, merchants, auditors, and QSAs all meeting on a regular basis in order to draft a recommendation for how the PCI DSS might be enhanced to include virtualization technology. The SIG included a number of industry-leading security practitioners and vendors, including Juniper Networks (via Altor Networks). The SIG s work has been leveraged by a PCI technical working group, which, among other efforts, developed a guidance document, Information Supplement: PCI DSS Virtualization Guidelines, released in June This document provides muchneeded guidance for both organizations and service providers on how to protect cardholder data within virtualized workloads. Achieving Compliance Just as organizations must protect physical environments with cardholder data from being compromised both from a security and PCI compliance perspective, so too must they protect virtualized environments. While organizations need to use multiple solutions to meet PCI DSS as a whole, to protect cardholder data within a virtualized environment in particular, these organizations can take a few specific measures and utilize certain technology solutions tailored for such an environment. The latter is what we focus on in this paper. Working with QSAs As mentioned earlier, for large volume transactions in the cardholder data environment, organizations work with a QSA to determine their PCI DSS compliance audit posture. The QSA is an employee of one of a number of security companies certified by the PCI Security Standards Council to validate an organization s adherence to the PCI DSS. The PCI SSC maintains an in-depth program for companies seeking to be certified, as well as to be re-certified, each year. Despite more and more organizations adopting virtualized workloads into their data center, most QSAs are just getting up to speed on the specific security challenges associated with such workloads. Furthermore, to date, there isn t a specific certification for qualifying a QSA to be an expert at evaluating virtualized environments. Although the PCI SSC strives to ensure that the list of QSAs linked from its corporate site is current and the list is frequently updated, the council cannot guarantee that the list is always current. Hence, every time an organization engages a QSA, the organization should check the list to ensure that its QSA has successfully maintained its status as a QSA. 4 Copyright 2011, Juniper Networks, Inc.

5 How the Juniper Networks vgw Virtual Gateway Can Help Meet PCI DSS and Virtualization SIG Guidelines Juniper Networks, using its extensive experience and innovative research in protecting the network, offers advanced protection for virtualized environments through a powerful software suite capable of monitoring and protecting virtualized environments without negatively impacting performance. The vgw Virtual Gateway is a comprehensive virtualization security solution that includes a high-performance, hypervisor-based stateful firewall; integrated intrusion detection service (IDS); and virtualization-specific antivirus for complete virtual network protection. The vgw brings forward powerful features that offer layers of defenses and automated security as well as compliance enforcement within virtual networks and clouds. By leveraging virtual machine introspection, coupled with the vgw s wide-ranging information about the virtual network environment, the vgw creates an extensive database of parameters by which security policies and compliance rules can be defined and enforced. A hypervisor-based, VMsafe-certified virtualization security approach, in combination with X-ray-level knowledge of each virtual machine through VM Introspection, gives the vgw a unique vantage point in the virtualized fabric. Here, virtualization security can be applied efficiently and with context about the virtual environment and its state at any given moment. The vgw delivers total virtual data center protection and cloud security through visibility, protection and compliance: Visibility A full view to all network traffic flowing between VMs is provided. Also available is complete VM and VM group inventory, including virtual network settings. Deep knowledge of VM state including installed applications, operating systems and patch levels is made possible through VM Introspection. Protection A VMsafe-certified stateful firewall provides access control over all traffic via policies that include which ports, protocols, destination VMs, etc. should be blocked. Further, an integrated intrusion detection engine inspects packets for the presence of malware or malicious traffic and alerts as appropriate. Finally, virtualization-specific antivirus protections deliver highly efficient on-demand and on-access scanning of VM disks and files with the ability to quarantine infected entities. Compliance The vgw enables enforcement of corporate and regulatory policies for the presence of required or banned applications via VM Introspection. Some practical applications of compliance enforcement, such as assurance of segregation of duties, ensure that VMs are assigned to the right trust zones inside the virtual environment. Pre-built compliance assessment is based on common industry best practices and leading regulatory standards. The vgw can also enforce compliance to a VM gold image with quarantine or alerting for non-compliance, thereby ensuring that deviations from the desired VM configuration do not create a security risk. For meeting regulatory mandates such as PCI, the vgw provides a hierarchical policy editor for building the precise requirements a very restrictive policy can be applied to high-value virtual machines, and a permissive policy to other VMs. Juniper also addresses the reporting requirement of compliance with an automated reporting engine. System logging output gives security event management systems insight into virtual network activity. Administrators can print reports of historical VM traffic data and configure SNMP traps to alert them to selected events. Those events can then be sent via system logs to third-party security products like those specializing in security information and event management (SIEM) such as Juniper Networks STRM Series Security Threat Response Managers. These products can synthesize the vgw log and event information from the virtualized data center with events from other parts of the network in order to get a holistic picture of the entire data center and its security posture. Copyright 2011, Juniper Networks, Inc. 5

6 Table 2: PCI DSS and SIG Guidance Requirements Supported by Juniper vgw Virtual Gateway PCI DSS Requirement 1 Install and maintain a firewall configuration to protect cardholder data. 1.1 Establish firewall and router configuration standards Provide documentation and business justification for use of all services, protocols and ports allowed, including documentation of security features implemented for those protocols considered to be insecure. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment Install perimeter firewalls between any wireless networks and the cardholder data environment, and configure these firewalls to deny or control (if such traffic is necessary for business purposes) any traffic from the wireless environment into the cardholder data environment. 1.3 Prohibit direct public access between the Internet and any system component in the CDE. Document business justification for any services, protocols and ports allowed through the firewall/router. Define and implement access control to block insecure protocols. For virtualized environments, a virtual firewall or router embedded within the hypervisor might be used to monitor and restrict traffic flowing through and within the virtual cardholder data environment, including inspection of VM-to-VM data flows. Implement firewall/router configurations so as to isolate traffic between untrusted networks (for example, from a wireless network) and the cardholder data environment. Configure the firewall/router to prevent access between the Internet-connected VLAN and any cardholder data-bearing VM or other virtual system component. The vgw is a purpose-built hypervisor-based stateful firewall that can enforce access control policies by ensuring VMs that are tied to payment systems are isolated from VMs that are not. Additionally, the vgw allows a build once, apply continuously model to security policy definition and enforcement. Any time a new VM is added to the network, the new VM simply inherits the settings of the parent, including the security policies and applications in existence for a VM of that type. This ensures that security for the new virtual system component is automatically provisioned, thus reducing the risk of exposure of the system and cardholder data to malicious traffic. The vgw is installed within the virtual infrastructure and stores all network communication (either VM-to- VM or VM-to-physical) in a database. Reports can be generated showing all network activity (protocols, ports, etc.) in use on every VM over any given time period. As new VMs are created, the vgw detects them automatically and can report on that activity. This information documents all known services/ protocols in operation and can aid in justifying their use in the network. The vgw can enforce access control on a per-vm basis so that if a particular VM is in the network where a payment system is connected, the vgw can be configured to stop traffic originating from an untrusted network from connecting with that VM. A hierarchy of firewall policies allows administrators to easily secure VMs. All VMs must conform to the Global Policy with highlevel and low-level rules. Additionally, Group Policies (for example, Web servers) restrict access to/from logical or business groupings of VMs. For maximum control, administrators can also create and enforce policies for individual VMs. All data in or out of the virtual environment can be tightly controlled (the intuitive rule editor defines traffic paths as inbound and outbound ). It doesn t matter if the remote network is wireless or Internet connected, traffic must pass through the vgw firewall before reaching the actual VM. The vgw firewall can ensure that no in-scope VM containing cardholder data is incorrectly assigned to an Internet-connected VLAN. Doing so triggers a policy violation alert and optional quarantine of the in-scope VM. 6 Copyright 2011, Juniper Networks, Inc.

7 PCI DSS Requirement 2 Do not use vendor-supplied defaults for system passwords and other security parameters. 2.2 Develop configuration standards for all system components. Assure that these standards address all known security vulnerabilities and are consistent with industry-accepted system hardening standards Implement only one primary function per server to prevent functions that require different security levels from coexisting on the same server. (For example, Web servers, database servers and DNS should be implemented on separate servers.) Note: Where virtualization technologies are in use, implement only one primary function per virtual system component b If virtualization technologies are used, verify that only one primary function is implemented per virtual system component or device Enable only necessary and secure services, protocols, daemons, etc. as required for the function of the system Configure system security parameters to prevent misuse Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary Web servers. 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN or SSL/TLS for web-based management and other non-console administrative access. Within virtualized environments, ensure that only one primary function is implemented per system component or device (for example, virtual machine). As part of the security policy for a given system, allow only those services and protocols it requires to perform its task(s), and remove unnecessary functionality (for example, scripts, drivers, file systems, etc.). Control non-console administrative access to systems by utilizing strong cryptography technologies. The vgw produces network connection reports that clearly show the protocols in use by every VM on the network where payment systems are connected. A practical application of such a report is to determine if unnecessary Web servers are running or file servers are functioning or any other applications are in use that shouldn t be. In accordance with 2.2.1, which states that a single virtual system component (for example, VM) should only be serving one primary function, the vgw can help ensure this by monitoring and alerting on any changes to system configuration. If someone is trying to install a database server and an application server on a single VM, and the associated security policy designates that such an action should not be allowed, the vgw can be configured to alert the relevant personnel so that appropriate action can be taken (for example, add another VM to the network and install just one of the servers on this new VM). Systems that the vgw determines to be inappropriately connected to secure networks like the VMsafe communication network (that is, per defined policy) can be automatically disconnected. Proprietary protocols that might introduce risks are automatically detected and their presence is alerted on by the vgw security application. The vgw uses encryption for all system communication and requires encrypted authentication to access the vgw management server application (all passwords are force changed during install). The vgw can monitor, alert and/or stop the use of non-encrypted protocols on the network (Telnet or FTP instead of SSH or SCP/SFTP). Copyright 2011, Juniper Networks, Inc. 7

8 PCI DSS Requirement 2 (continued) 2.4 Shared hosting providers must protect each entity s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers. The multi-tenant hosting provider must protect each entity s hosted environment and cardholder data by putting in place administrative, process and technical segmentation to isolate each hosted entity s environment from other entities. At a minimum, this isolation should encompass all PCI DSS controls, including but not limited to segmented authentication, network and access controls, encryption, and logging. The vgw, through its built-in virtual firewall, can be configured to segment tenant resources (virtual system components) from one another, ensuring isolation of their security policies. The vgw provides an XML-RPC programming interface that lets service providers and large enterprises customize and automate firewall provisioning. Users of the API can efficiently secure virtualization services for internal or external customers while ensuring strict isolation of customer VMs. Additionally, the vgw includes a feature called Split- Center that can be utilized in multi-tenant virtualized environments that require segregation of a single security management platform into parts that are consistent with unique security policies per hosted entity. Split-Center allows segmentation of the information contained in one virtualization management layer into what are effectively seen as multiple independently managed vgw centers to improve resource isolation for multi-tenancy. PCI DSS Requirement 5 Use and regularly update antivirus software or programs. 5.1 Deploy antivirus software on all systems commonly affected by malicious software. 5.2 Ensure that all antivirus mechanisms are current, actively running and generating audit logs. Install relevant (for example, purpose-built) antivirus software on all systems (including servers and hosts) that are vulnerable to malware. Keep antivirus software subscription up to date to account for the latest threats and ensure that the software is actively running and generating audit logs. Virtualization-specific antivirus provides a layer of defense against malware (such as viruses, worms and spyware) with minimal impact on VM memory and disk. The vgw antivirus engine provides optional on-access and on-demand scanning to help meet this requirement. The vgw s antivirus protection stays up to date through automatic signature updates available for the life of the software subscription (with an active license). Audit logs are automatically generated as long as the vgw antivirus engine is enabled. PCI DSS Requirement 6 Develop and maintain secure systems and applications. 6.1 Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed. 6.2 Establish a process to identify and assign a risk ranking to newly discovered security vulnerabilities. Apply the most recent security patches as soon as possible, especially for critical systems and software applications. Consider prioritizing the application of security patches (apply patches to at-risk systems sooner than for less risk prone ones). For any newly discovered dayzero threats, assign a severity rating to the threats and add these to the vulnerability database. The vgw has two types of patches/updates: 1. vgw application fixes 2. vgw signature feed for malicious traffic monitoring (IDS) In both cases, the vgw application does not notify an administrator that a patch needs to be applied. The patches for signature updates can also be applied without administrator intervention on a predefined schedule. The vgw integrated IDS includes a risk rating for new vulnerabilities. This risk rating can be modified by the virtual infrastructure administration to better reflect the security environment of the CDE. 8 Copyright 2011, Juniper Networks, Inc.

9 PCI DSS Requirement 6 (continued) Separate development/test and production environments. 6.5 Develop applications based on secure coding guidelines. Prevent common coding vulnerabilities in software development processes including: Injection flaws, particularly SQL injection. Also consider OS Command Injection, LDAP and XPath injection flaws as well as other injection flaws Buffer overflow Insecure cryptographic storage Insecure communications Improper error handling Note: Requirements through apply to Web applications and application interfaces (internal or external): Cross-site scripting (XSS) Improper access control (such as insecure direct object references, failure to restrict URL access, and directory traversal) Cross-site request forgery (CSRF) 6.6 For public-facing Web applications, address new threats and vulnerabilities on an ongoing basis and ensure these applications are protected against known attacks by either of the following methods: Review public-facing Web applications via manual or automated application vulnerability security assessment tools or methods, at least annually and after any changes. Install a Web application firewall in front of public-facing Web applications. Isolate application development/ test and production environments. Develop applications based on generally accepted secure coding guidelines and prevent common coding vulnerabilities. Organizations must review their Web applications regularly and ensure these applications are protected against both known and unknown (for example, day-zero ) threats. There are multiple commercially available vulnerability security assessment tools and methods available to meet this requirement. Virtualized environments often have a testing/ development cluster as well as a production cluster. Because the vgw is installed in the kernel of each individual hypervisor host, it is easy to create security policies that completely isolate the traffic in each environment. The vgw has an IDS engine that is incorporated into the virtual infrastructure. The IDS engine is signature based, and a portion of the signatures comes from the Sourcefire VRT professional feed the foundation of which has more than 3.7 million users and is the most widely distributed intrusion detection technology in the world. Juniper also adds custom signatures and expertise to this feed, giving users layers of enterprisegrade protection. The IDS signature rules detect XSS, injection flaws, malicious file extensions, insecure direct object references, and other malicious or inappropriate traffic. Since the vgw monitors all connection flows, it can be used to spot information leakage between systems (for example, VM1 communicating 10 GB of traffic to VM2 unexpectedly). The vgw has an advanced stateful firewall and a combination of web-based IDS signatures that in concert inspect and detect anomalous Web activity thereby protecting web-based applications. Copyright 2011, Juniper Networks, Inc. 9

10 PCI DSS Requirement 10 Track and monitor all access to network resources and cardholder data Establish a process for linking all access to system components Implement automated audit trails for all system components to reconstruct the following events: All individual accesses to cardholder data Creation and deletion of system-level objects 10.3 Record audit trail entries for all system components for each event. Put in place a method to monitor and log all access to system components by user for auditing and investigation purposes should there be a data compromise. Automatically track individual access to cardholder data and creation and deletion of systemlevel objects events. By recording the following audit trail entries for all system components for each event, a potential compromise can be quickly identified with sufficient detail of who, what, when, where, and how: User ID, type of event, date and time, success/failure indication, origination of event, ID or name of affected data, system component, or resource. Juniper s vgw, through its stateful firewall, provides access control over all traffic via policies that include which ports, protocols, destination VMs, etc. should be blocked. The vgw can monitor and optionally log all access activity including blocked attempts to VMs. These logs might include information about the source of the traffic including an IP address. For a complete user authentication solution, vgw can be integrated with the Juniper SRX Series Services Gateway and Unified Access Control (UAC) products to gain visibility into the specific user accessing a particular system component. Controlling access to cardholder data can be accomplished by implementing network-based control (that is, firewall blocking of access from system to system). The vgw can monitor and display all access details between systems and enforce access at the lowest level possible (that is, system to system). Because the vgw is tightly integrated into the virtualization management layer, it has complete virtual awareness in the application of security including when VMs have been cloned, created, deleted, or have migrated. Policy is automatically applied to these new VMs, ensuring that they either inherit the policy of their group or are quarantined until a policy is defined. Any changes that affect the VM state networking changes, installed applications or security policy changes are monitored and reported on. The vgw can essentially function as an IP traffic collector recording all traffic between VMs. This data can be sent to a log aggregation device for the purpose of creating a comprehensive audit trail of all access activity in the CDE including that activity among inscope VMs. 10 Copyright 2011, Juniper Networks, Inc.