Hi All,

Does anyone here have to manage a PCI DSS compliant environment? If so, any tips on designing and building a network focused around PCI compliance? At the moment I'm still picking up the pieces where I am, but most of the environment goes against all good design policies. Collapsed core, with layer 2 from access all the way to the core...

We have 3 sites, all connected by VPLS(which by the way is horrible) and the VPLS connects into the core switches at each location. None of the core does any real routing except at the office data centre where it is the first hop for a number of VLAN's but even then the VLANs cant be terminated there, as other devices at other sites exist on those VLANs. All routing is done by checkpoint firewalls at the primary and DR sites, with the Checkpoints in a VRRP cluster, and not load balanced. Essentially, everything is reliant on the firewalls which is a horrible idea because it's slow, and Checkpoint are flaky at best. STP is a pain to manage across 3 sites with VPLS, and having such a large impact domain makes the network quite fragile.

So it sounds like they went with this design for a few reasons:

1) The systems team wants L2 between all sites so that they can fail to a DR host without failing over an entire subnet - they just bring up the active IP on the host at another location and away they go.

2) They put everything through the firewalls so it can be logged and because PCI requires firewalling between cardholder environments, etc. Any thoughts on better ways of doing this? The firewalls are the real problem in that amongst a lot of other problems, they don't really do dynamic routing very well, so I can't really migrate us to a true HA L3 core with that kind of hinderance.

Anyways, I'm not hugely experienced with this kind of network design - my most networking orientated gig before this was work for a hosting provider on their edge, so I was dealing with BGP and MPLS all day long... Almost have my CCNP just got a little to learn so not fully up to date there either.

Anyways, would be nice to hear from others with experience in this realm and how they have done things, and based on other experiences, hopefully can work out some ways forward. Obviously it is going to take quite some time to make changes, as big changes move very slowly in environments like this.

Cheers,

Mark

I work for a eCommerce company who is compliant with PCI-DSS 2.0 as a Level2 merchant. The easiest thing to do is to limit your cardholder environment as much as possible, to keep the scope small.

If your firewalls are the problem, replace them; failing PCI compliance is more expensive than replacing a few firewalls or redesigning your network.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

As Dinger said, keep the scope as small as possible. Anything that crosses or has any kind of access to your cardholder environment/vlan will bring that vlan/network into your PCI scope which brings things that have access to that into the scope etc and it can snowball from there.

_________________
The best part about telling UDP jokes is I don't really care if you get them or not.

Thanks Guys.

Understood about limiting scope, that is essentially what we have done, through the use of an abundance of VLAN's. I guess I'm not really looking for tips on how to be compliant(as we are PCI DSS 2.0 Level 1 Compliant already) but more around ways to make the network more traditionally designed, without relying on the firewalls. Also how you did Layer 3 segmentation as opposed to Layer 2 would be awesome.

At least according to my auditors, they only care about the in-scope VLANS and the card-holder environment. They don't care about how the rest of the network is designed.

_________________
"A problem well stated is a problem half solved". (Charles Kettering)

From the PCI manual-

This means that any device that does this is in scope. If an ESX host has an in scope VM, all VMs on that host are in scope. If a cor switch has a VLAN that is in scope, the whole switch is in scope.

My question wasn't around what is in scope or out of scope, but more around Layer 3 network design as a whole. And FYI, anything with Cardholder Data, whether PAN or not, is in scope for us, but yes, networks with PAN are most important, and as such we physically and logically segregate, with no routing in or out.