Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE

Using the AppGate Network Segmentation Server TO ACHIEVE PCI COMPLIANCE Version 2.0 January 2013 Jamie Bodley-Scott Cryptzone 2012 www.cryptzone.com Page 1 of 12

Contents Preface... 3 PCI DSS - Overview of requirements... 4 Network Segmentation... 4 The AppGate Network Segmentation Server (NSS)... 4 PCI DSS Requirements... 5 1: Install and maintain a firewall configuration to protect cardholder data... 5 2: Do not use vendor-supplied defaults for system passwords and other security parameters... 6 3: Protect stored cardholder data... 7 4: Encrypt transmission of cardholder data across open, public networks... 7 5: Use and regularly update anti-virus software or programs... 7 6: Develop and maintain secure systems and applications... 7 7: Restrict access to cardholder data by business need-to-know... 8 8: Assign a unique ID to each person with computer access... 8 9: Restrict physical access to cardholder data... 10 10: Track and monitor all access to network resources and cardholder data... 10 Summary... 11 Re-establish connectivity fast... 11 Streamlined user experience... 11 High-level separation and protection... 11 Compliance, auditing and logging... 12 Truly flexible control of secure access... 12 Painless segmentation of mature networks... 12 More information... 12 About Cryptzone... 12 Cryptzone 2012 www.cryptzone.com Page 2 of 12

Preface This document describes the twelve requirements defined in the Payment Card Industry (PCI) Data Security Standard (DSS) Requirements and Security Assessment Procedures, Version 2.0 and how the AppGate Network Segmentation Server (NSS) can deliver many of these PCI DSS compliance requirements. The twelve PCI DSS requirements are organized into six logically related groups called the control objectives. The following table illustrates commonly used elements of cardholder and sensitive authentication data whether storage of each data element is permitted or prohibited and if each data element must be protected. This table is not exhaustive, but is presented to illustrate the different types of requirements that apply to each data element. Data Element Storage Permitted Render Stored Account Data Unreadable Primary Account Number (PAN) Yes Yes Cardholder Name Yes No Service Code Yes No Expiration Date Yes No Full Magnetic Stripe Data No CAV2/CVC2/CVV2/CID No PIN/PIN Block No PCI DSS requirements are applicable if a Primary Account Number (PAN) is stored, processed, or transmitted. If a PAN is not stored, processed, or transmitted, PCI DSS requirements do not apply. These security requirements apply to all system components. System components are defined as any network component, server, or application that is included in or connected to the cardholder data environment. The cardholder data environment is that part of the network that possesses cardholder data or sensitive authentication data. Much of the information included in this document has been taken from the PCI DSS Requirements and Security Assessment Procedures, Version 2.0 October 2010 created by the PCI Security Standards Council LLC. The PCI Security Standards Council is an open global forum for the on-going development, enhancement, storage, dissemination and implementation of security standards for account data protection. Read all about the standard at https://www.pcisecuritystandards.org/ Cryptzone 2012 www.cryptzone.com Page 3 of 12

PCI DSS - Overview of requirements Below are summarised the 12 main areas covered by the PCI DSS Requirements and Security Assessment Procedures. Build and Maintain a Secure Network Requirement 1 Requirement 2: Protect Cardholder Data Requirement 3: Requirement 4: Install and maintain a firewall configuration to protect cardholder data Do not use vendor-supplied defaults for system passwords and other security parameters Protect stored cardholder data Encrypt transmission of cardholder data across open, public networks Maintain a Vulnerability Management Program Requirement 5: Requirement 6: Use and regularly update anti-virus software or programs Develop and maintain secure systems and applications Implement Strong Access Control Measures Requirement 7: Requirement 8: Requirement 9: Restrict access to cardholder data by business need-to-know Assign a unique ID to each person with computer access Restrict physical access to cardholder data Regularly Monitor and Test Networks Requirement 10: Requirement 11: Track and monitor all access to network resources and cardholder data Regularly test security systems and processes Maintain an Information Security Policy Requirement 12: Maintain a policy that addresses information security for all personnel There is no defined network security approach to solving the PCI DSS requirements. One of the options is to use Network Segmentation. Network Segmentation Network segmentation of, or isolating (segmenting), the cardholder data environment from the remainder of an entity s network is not a PCI DSS requirement. However, it is strongly recommended by PCI DSS as a method that may reduce: The scope of the PCI DSS assessment The cost of the PCI DSS assessment The cost and difficulty of implementing and maintaining PCI DSS controls The risk to an organization (reduced by consolidating cardholder data into fewer, more controlled locations) Adequate network segmentation, which isolates systems that store, process, or transmit cardholder data from those that do not, may reduce the scope of the cardholder data environment. Without adequate network segmentation (sometimes called a "flat network") the entire network will be in scope of the PCI DSS assessment. Network segmentation can be achieved through a number of physical or logical means, such as properly configured internal network firewalls, routers with strong access control lists (although these are rarely user based controls but IP based), or using the AppGate Network Segmentation Server which can restrict access to a particular segment of a network and by individual user. The AppGate Network Segmentation Server (NSS) AppGate access solutions make it easy for organizations of all sizes to securely provision and control user access to network resources both inside and outside the network. The Network Segmentation Server is an internal secure access gateway that makes it easy to set up and manage segmented networks, providing secure separation for critical systems whilst also enabling essential connectivity and secure access for authorized users. The fact that all transmissions are encrypted also allows for external access to be granted should it be a requirement. Cryptzone 2012 www.cryptzone.com Page 4 of 12

If network segmentation is used to reduce the scope of the PCI DSS assessment, the segmentation must be adequate. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. Even with a clear understanding of the scope of the cardholder data environment, business needs and processes related to the storage, processing or transmission of cardholder data, traditional segmentation is no easy task. Restricting cardholder data to as few locations as possible by elimination of unnecessary data, and consolidation of necessary data will certainly help. The real problem lies in gluing the systems / connectivity back together afterwards. This might even mean having to reengineer long-standing business practices relating to the network's configuration, the way it is used and even the location of users on the network. This is where the real strength of the NSS lies. All user connections are encrypted and access controlled using context aware rules. This makes the gluing much easier to implement because many less changes are required to the physical network. Effectively a secure virtual network is overlaid onto the physical one. This also has major advantages when looking at network resilience since the virtual network will simply inherit the resilience model of the underlying network. PCI DSS Requirements The flexibility of the NSS means there are aspects of almost all of the 12 requirements in which using network segmentation can help a business to meet its PCI DSS obligations. Below, the first 10 requirements are each covered separately. For most requirements the relevant subsections have been highlighted. In each case an explanation of how the NSS can be used to provide that specific compliance point has been included. The last two requirements; 11: Regularly test security systems and processes and 12: Maintain a policy that addresses information security for all personnel are not areas where the use of the Network Segmentation Server can help deliver PCI compliance. Having said that, if its use makes for a simpler way of achieving PCI compliance, then there are some secondary benefits, such as reduced scope for system/vulnerability scanning and simplified information policies. 1: Install and maintain a firewall configuration to protect cardholder data All systems must be protected from unauthorized access from untrusted networks, whether entering the system via the Internet as e-commerce, employee Internet access through desktop browsers, employee e- mail access, dedicated connections such as business-to-business connections, via wireless networks, or via other sources. Often, seemingly insignificant paths to and from untrusted networks can provide unprotected pathways into key systems. Firewalls are a key protection mechanism for any computer network. NSS is a certified firewall and is classed not only as a standard internal firewall but also an internal firewall which is user based with encryption as far as protecting / segmenting the PCI at-risk network. 1.1 Establish firewall and router configuration standards that include the following: 1.1.3 Requirements for a firewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone NSS would fulfill the requirement to have a firewall between any given zones. 1.1.4 Description of groups, roles, and responsibilities for logical management of network components The AppGate platform is underpinned by an advanced role based access control system which allows easy management of multiple roles for groups of users who have widely differing responsibilities. 1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment. The NSS can handle connections from both trusted and non-trusted networks. Because it is context aware it is very easy to create policies that adapt according to the users situation. Context awareness offers a big advantage over firewalls that can wrongly limit legitimate users access because of the very simple rule-sets they use. The other big advantage of the NSS is that the Cryptzone 2012 www.cryptzone.com Page 5 of 12

majority of access routes are only established after a user has logged in so old firewall rules are never left (open) when they are not required. All connections can be encrypted using algorithms like AES 128 and AES 256. So as well as securing wireless or internet traffic it is possible to build a virtual secure network for say PCI users. 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment. NSS is a firewall as well as an access control solution. One of the key features of an NSS is that it is all off in the no-connections allowed state. If an NSS is used to protect the cardholder data environment, then by default access is blocked. Even if there were no other firewalls in use (and we suggest maybe there should be) then public access would be blocked because they would not have any credentials with which to log in with. It is possible to locate the NSS in the DMZ, in one of the security zones or as a gateway (firewall) between zones. It can work as a proxy server and hides internal addresses through the use of local host addressing and NAT. 1.4 Install personal firewall software on any mobile and/or employee-owned computers with direct connectivity to the Internet (for example, laptops used by employees), which are used to access the organization s network. Part of the AppGate solution includes the AppGate Device Firewall that works with the AppGate Network Segmentation Server to protect the user s device and the network. The Device Firewall controls all inbound and outbound traffic on all adapters and network interfaces, and enforces specific policies. For example, all connections can be closed except the secure VPN before the user is permitted to connect to the cardholder data environment. The Device Firewall can also make sure that user workstations cannot communicate with each other, restricting the ability of viruses and worms to spread between systems. The firewall is centrally managed and easy to install. It has no GUI on the client machine so users do not have to make decisions about traffic filtering. 2: Do not use vendor-supplied defaults for system passwords and other security parameters It is well known that parties external and internal to a company often find vendor default passwords are still in use and that it is possible to exploit vendor default settings to compromise systems. These passwords and settings are well known and easily researched via the internet. Each NSS is supplied with complex and unique administrative and root passwords by default. The default settings are all-off so there is no possibility to compromise protected systems unless you have the unique password(s). 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web- based management and other non- console administrative access. The AppGate system is very often used as a hub for administrative access control. A portal view of all the systems allows access from a single point, provides strong encryption and enables centralized logging and reporting of all administrative accesses. 2.4 Shared hosting providers must protect each entity s hosted environment and cardholder data. These providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers. A.1.2 Restrict each entity s access and privileges to its own cardholder data environment only. Where the NSS is used as the entry point, it then manages the authentication process (which can be multi factor). Thereafter the NSS uses those (trusted) credentials to access downstream systems. This ensures that users will not be able to switch context from one environment to another once through the entry point. A.1.3 Ensure logging and audit trails are enabled and unique to each entity s cardholder data environment and consistent with PCI DSS Requirement 10. Where it is possible to identify the different cardholder data environments from the access point (different ports on a server, different URLs, different VMs, etc) then the system will keep accurate logs of who has had access to which systems when. Cryptzone 2012 www.cryptzone.com Page 6 of 12

3: Protect stored cardholder data Protection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection. If an intruder circumvents other security controls and gains access to encrypted data, without the proper cryptographic keys, the data is unreadable and unusable to that person. 3.5 Protect any keys used to secure cardholder data against disclosure and misuse: As with administrative access control, it is also possible to control access to any key stores using the AppGate system. Access would require strong multifactor authentication from known devices or IP addresses and the traffic would then use strong encryption. Again centralized logging and reporting of all key store access could be provided. 4: Encrypt transmission of cardholder data across open, public networks Sensitive information must be encrypted during transmission over networks that are easily accessed by malicious individuals. Misconfigured wireless networks and vulnerabilities in legacy encryption and authentication protocols continue to be targets of malicious individuals who exploit these vulnerabilities to gain privileged access to cardholder data environments. 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks. Crytpzone s AppGate NSS supports the use of strong cryptography and security protocols such as secure sockets layer (SSL) / transport layer security (TLS) and SSH technology to safeguard sensitive cardholder data during transmission over any network. 5: Use and regularly update anti-virus software or programs Malicious software, commonly referred to as malware including viruses, worms, and Trojans enters the network during many business- approved activities including employee e-mail and use of the Internet, mobile computers, and storage devices, resulting in the exploitation of system vulnerabilities. Anti-virus software must be used on all systems commonly affected by malware to protect systems from current and evolving malicious software threats. 5.1 Deploy anti-virus software on all systems commonly affected by malicious software (particularly personal computers and servers). The AppGate NSS system can be configured to deploy specific required software such as antivirus when it is detected as missing. 5.2 Ensure that all anti-virus mechanisms are current, actively running, and generating audit logs. The AppGate NSS system is designed to manage (user) access. In so doing, the system can check the status of all connecting PCs. Before any PC can access a protected network, it is checked to ensure anti-virus is installed and running correctly. It is even possible to allow the PC access to remediation services only when anti-virus is not detected or detected out of date. 6: Develop and maintain secure systems and applications Unscrupulous individuals use security vulnerabilities to gain privileged access to systems. Many of these vulnerabilities are fixed by vendor- provided security patches, which must be installed by the entities that manage the systems. All critical systems must have the most recently released, appropriate software patches. 6.3 Develop software applications (internal and external, and including web- based administrative access to applications) in accordance with PCI DSS (for example, secure authentication and logging), and based on industry best practices. Incorporate information security throughout the software development life cycle. The AppGate NSS system can be used as a hub for administrative access control. Specific applications / networks can be set up to only allow inbound connections from the AppGate NSS system or static IP addresses assigned to users from the NSS. This is then able to provide the authentication, authorisation and logging with a higher security model. 6.4.1 Separate development/test and production environments & 6.4.2 Separation of duties between development/test and production environments NSS is designed to provide the separation of development, test, and production environments when you implement Separation of Duties on the business level. The multiport appliances allow Cryptzone 2012 www.cryptzone.com Page 7 of 12

access to be re-established in a very controlled way for instance to only one of the environments at a time. There can be a role for accessing development systems and a role for accessing production systems with clear separation of networks and access. 6.5.8 Improper Access Control, such as insecure direct object references, failure to restrict URL access, and directory traversal (Properly authenticate users and sanitize input. Do not expose internal object references to users.) Where applications have not got sufficient in built controls then the NSS can be used to hide object references, restrict URLs and Directory access. 7: Restrict access to cardholder data by business need-to-know To ensure critical data can only be accessed by authorized personnel. Systems and processes must be in place to limit access based on need to know and according to job responsibilities. Need to know is when access rights are granted to only the least amount of data and privileges needed to perform a job. 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access. The NSS is a role based access control system as opposed to an authorization system (AD / LDAP). This means only entitled individuals will be able to see (or access) the PCI related systems / data. 7.2 Establish an access control system for systems components with multiple users that restricts access based on a user s need to know, and is set to deny all unless specifically allowed. By default the NSS denies all access. The access that is granted can be tailored to users or groups of users. Access is not on or off but filtered. So one group might have access to one web page only (for data input) but nothing else, this would run through an application proxy to improve security and log the activity. 8: Assign a unique ID to each person with computer access Assigning a unique identification (ID) to each person with access ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. 8.1 Assign all users a unique ID before allowing them to access system components or cardholder data. The NSS requires an ID and some form of proof of identity (2 factor authentication). ID on its own is not sufficient to gain access. The IDs can be configured locally (on the AppGate NSS) or be retrieved through interfaces to LDAP/AD. 8.2 In addition to assigning a unique ID, employ at least one of the following methods to authenticate all users: Something you know, such as a password or passphrase; Something you have, such as a token device or smart card; Something you are, such as a biometric. The NSS can be configured to work with many different forms of authentication service including chaining methods together. These include: Password (local and via LDAP / AD), One-Time- Password via GSM/SMS/Hardware Tokens, SecurID, Radius, Certificate. 8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial- in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate twofactor authentication.) Even for the same account ID it is possible to configure different forms of authentication depending on the users context (such as outside the network). So if a password was used on the trusted network, then a token could be mandated when remote access is attempted. 8.4 Render all passwords unreadable during transmission and storage on all system components using strong cryptography. NSS only uses tried and tested protocols such as SSH for connectivity between the users and applications.. All user traffic going to and from the protected network including user authentication is encrypted through the tunnel. 8.5 Ensure proper user identification and authentication management for non- consumer users and administrators on all system components as follows Cryptzone 2012 www.cryptzone.com Page 8 of 12

8.5.3 Set passwords for first-time use and resets to a unique value for each user and change immediately after the first use. Change after first use can be forced when using local accounts. If using Active Directory and a certificate is in place then password policies like first time use can be followed and enforced. 8.5.4 Immediately revoke access for any terminated users. NSS uses a live link to the identity management system (LDAP) so if a record has been deleted or deactivated then access will not be possible for that user. Existing running sessions can be terminated at a click of button by an administrator. 8.5.9 Change user passwords at least every 90 days. Password validity period can be set when using local accounts and Active Directory. 8.5.10 Require a minimum password length of at least seven characters. Password strength rules can be set when using local accounts. Active Directory policies will be enforced and used if this is the store used for user credentials. The AppGate NSS will also enforce password policies that have been put in place directly on the NSS system even when changing AD passwords. The most complex policy will always be adhered to. 8.5.11 Use passwords containing both numeric and alphabetic characters. Password rules include rules about types of characters when using local accounts. Active Directory policies will be enforced and used if this is the store used for user credentials. The AppGate NSS will also enforce password policies that have been put in place directly on the NSS system even when changing AD passwords. The most complex policy will always be adhered to. 8.5.12 Do not allow an individual to submit a new password that is the same as any of the last four passwords he or she has used. Old password can be blocked when using local accounts. Active Directory policies will be enforced and used if this is the store used for user credentials. The AppGate NSS will also enforce password policies that have been put in place directly on the NSS system even when changing AD passwords. The most complex policy will always be adhered to. 8.5.13 Limit repeated access attempts by locking out the user ID after not more than six attempts. NSS includes an automated system for blocking/blackholing (as opposed to locking) after x failed attempts even if the credentials are entered correctly after many failures. If a clean time period is seen (No failures or attempts to login) then the blocking is stopped and users can successfully login again. If an AD policy has the lockout feature enabled then the user account will be locked out and need an administrator to unlock it. 8.5.14 Set the lockout duration to a minimum of 30 minutes or until administrator enables the user ID. NSS can have any lockout window size from seconds to hours or can use the AD policies if that is being used as an account source. 8.5.15 If a session has been idle for more than 15 minutes, require the user to reauthenticate to re-activate the terminal or session. The NSS system has an idle timer which can log the user out of the system. 8.5.16 Authenticate all access to any database containing cardholder data. This includes access by applications, administrators, and all other users. Access control to any application from any type of user is possible with the AppGate NSS. Access can be established for both users and other applications. Cryptzone 2012 www.cryptzone.com Page 9 of 12

9: Restrict physical access to cardholder data Any physical access to data or systems that house cardholder data provides the opportunity for individuals to access devices or data and to remove systems or hardcopies, and should be appropriately restricted. If it is not possible to effect physical separation then the more rigorous controls required by PCI DSS will have to be applied to all systems. Although the NSS is in no way a physical access control system (Control who has access to data centre room doors) it can facilitate the physical separation of the data and systems. The NSS can be configured to use an AppGate Satellite which is in effect a remote 4 port NIC. The connection from the Satellite to the AppGate NSS is encrypted. Access to servers segmented via a Satellite (in a remote location or different part of the network) is configured centrally on the AppGate NSS. With this architecture, it is possible to have. any number of PCI related servers located or relocated to a separate secure location (anywhere). 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. 10.1 Establish a process for linking all access to system components (especially access done with administrative privileges such as root) to each individual user. NSS can be used as a hub for administrative access control. Specific applications / networks can be set up to only allow inbound connections from the AppGate NSS system which wil force access via this one mechanism and prevent hoping from other systems (even from within the PCI segment). Administrative users would then have to log into the NSS first and have each subsequent connection they established logged within the NSS. 10.2 Implement automated audit trails for all system components to reconstruct the following events: 10.2.1 All individual accesses to cardholder data The AppGate NSS can log all individual accesses to cardholder data. The whole user session is logged including when they started services for access. There are also further possibilities with auditing if AppGate's Application proxies are used. 10.2.3 Access to all audit trails NSS can be used as a hub for log access control. Specific log servers can be located behind the AppGate NSS on a separate network interface to force access via this one mechanism. Administrative users would then have to log into the NSS first and have each subsequent connection they established logged. Application servers can be allowed to talk through the NSS securely to pass their log information to the central log servers. 10.2.4 Invalid logical access attempts Invalid attempts to log into the AppGate NSS are logged. 10.2 5 Use of identification and authentication mechanisms The type of user s authentication used is recorded in the NSS logs 10.2.6 Initialization of the audit logs The logs are handled by a separate log daemon. The starting and stopping of all daemons (including the log daemon) are recorded in the NSS logs. 10.2.7 Creation and deletion of system-level objects The NSS logs any changes within its own administration including creation and deletion of system-level objects. 10.3 Record at least the following audit trail entries for all system components for each event: User identification, Type of event, Date and time, Success or failure indication, Origination of event, Identity or name of affected data, system component, or resource. NSS offers detailed logging of all access events. These include full details of the context of the user access and the resources to which they were connected. The AppGate NSS can also protect central auditing systems which other PCI/DSS systems talk to. Cryptzone 2012 www.cryptzone.com Page 10 of 12

10.4 Using time-synchronization technology, synchronize all critical system clocks and times and ensure that the following is implemented for acquiring, distributing, and storing time. The NSS uses Network Time Protocol (NTP) servers to ensure time is in sync so it is in line with all other systems on the network. 10.5 Secure audit trails so they cannot be altered. 10.5.1 Limit viewing of audit trails to those with a job-related need. 10.5.2 Protect audit trail files from unauthorized modifications. NSS can be used as a hub for log access control. Specific/central log servers can be located behind the AppGate NSS to force access via this one mechanism. User access can then be restricted to roles which are job-related only. 10.5.3 Promptly back up audit trail files to a centralized log server or media that is difficult to alter. 10.5.4 Write logs for external-facing technologies onto a log server on the internal LAN. AppGate NSS logs can be stored on box or sent securely off to a remote syslog server if required. Cyclic redundancy checks (CRC) are done on logs on the NSS and can only be accessed by a root account which can be very tightly controlled. You do not need a root account to manage the NSS. Summary The AppGate NSS makes it easier to be compliant with PCI DSS for every type of organisation. Through its unique way of segmenting networks and enforcing who should be able to access what according to a security policy, AppGate is a cost-effective and secure way to achieve compliance. In brief: Re-establish connectivity fast Once segments have been created, connectivity can be re-established quickly and easily to allow essential access for authorized users and systems eg. critical systems such as SAP or SCADA networks can be isolated from the main business network whilst still allowing reporting information to be passed across. Where network layer 3 connectivity is required, the built-in stateful firewall functionality can allow traffic between servers. Streamlined user experience Users may initiate a secure connection from virtually any type of device: a desktop PC, laptop, Smartphone or PDA, if the policy permits. Kerberos authentication streamlines the process for authenticated users to access resources on a segmented network. Where networks are isolated, entitled users already logged onto one network will be able to connect to a different segment from the same machine. High-level separation and protection All access is blocked until the user s identity is authenticated and their access rights have been confirmed Where access is not granted, services are invisible making it impossible to see or attack corporate assets. Administrators have precise control over who should have access to protected resources, at what time, from which location, from which devices etc. Network traffic is encrypted as standard giving each user a private, secure connection and preventing other users sniffing data. Unauthorized, unencrypted traffic is blocked automatically. Cryptzone 2012 www.cryptzone.com Page 11 of 12

Compliance, auditing and logging In addition to detail logging of all access attempts valid or not, a valid user s access records are all recorded. The same contextual information that drives the access decisions is also recorded in the logs providing very high integrity audit trail. Log levels can be tuned for all the different processes running in an AppGate NSS allowing detail analysis when required. Reporting tools and alerts allow data to be analyzed both in real time and after the fact. Truly flexible control of secure access Access entitlement is based on the user s identity and contextual criteria such as time of day, user s location and authentication method used, providing greater security and flexibility than can be achieved with conventional firewalls. It is easy to remove permissions when the user has moved or left the organization. Policy can be used to isolate a user s machine from the local network when they connect to a different segment if required. All access is monitored and logged. Alarms can be defined eg. when particular systems are accessed, and sent to external systems for immediate action. Painless segmentation of mature networks A single appliance can support multiple secure domains on the network, removing the need to change the network architecture to isolate critical systems. Up to twelve internal security domains or segments can be created to protect critical assets eg. development data, manufacturing systems or PCI at-risk servers, Segment configuration, security policies and user access rights are defined centrally. All traffic from users to application servers on these networks will be checked and controlled reducing the need for internal firewalls. More information If you would like to know more about AppGate and the Network Segmentation Server please follow the links below: AppGate Network Segmentation Server http://www.cryptzone.com/products/appgate/network-segmentation-server/ AppGate Security Server http://www.cryptzone.com/products/appgate/security-server/ About Cryptzone The Cryptzone Group is a technology innovator of proactive controls to mitigate IT security risk. We bring together the people, processes and technology to mitigate information security risks identified in the four key areas of Policy Compliance, Content Security, Secure Access and Endpoint Security. Headquartered in Sweden, the company has offices in the UK, USA and Poland, as well as an extensive partner network with more than 150 global partners. For more information about the company and its solutions: Visit: www.cryptzone.com Tel: Sweden +46 (0)31 773 86 00 USA +1.949.279.6177 UK +44 (0)1252 419990 Email: sales@cryptzone.com Cryptzone 2012 www.cryptzone.com Page 12 of 12