Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2719
Views
0
Helpful
6
Replies

Are ACL's good enough for PCI

astroboydivx
Level 1
Level 1

‎05-09-2007 04:14 AM - edited ‎03-11-2019 03:11 AM

Hi there,

Our PCI auditor has said that ACL's and vlaning between test/office/production (cardholder) etc networks are not sufficient, and that we will need firewalls. However at a PCI conference we were advised that ACL's and vlaning were sufficient.

Can anyone advise me what the truth is?

Thanks!

Labels:
0 Helpful
6 Replies 6

chjanoff
Cisco Employee
Cisco Employee

‎05-10-2007 07:56 AM

Hi Astro,

ACLs are not enough protection from our experience with auditors and compensating controls.

VLANs are a sufficient method of segmentation at layer two. You do not require physical separation of your POS network at this layer.

However, at layer 3, you do need a stateful firewall. ACLs do not suffice.

On a side note, Truth is a interesting word, from a compliance perspective. I have heard from retailers that, in general, Audits can vary from QSA to QSA. So, ultimately, I would advise you to work with your auditor to know their version of "truth" and if you believe that they are not being realistic, consider speaking with another QSA. In this particular case, I think you will find that the answer will be consistent across QSAs that you will require a true firewall.

Does this help?

Christian

0 Helpful

bmcgloth
Cisco Employee
Cisco Employee
In response to chjanoff

‎05-10-2007 09:55 AM

You may also need to be concerned with where you are using VLAN's as wheather they are sufficient. If the vlan seperates a public internet segment and a segment with POS, that will probibly not be sufficient. If the MAC table gets overloaded the switch may go into full forwarding mode merging the internet and POS traffic compromising your systems. An overload loke this is not as likely when VLAN'ing private segments. And in any event the Internet traffic would not be merged with private traffic.

0 Helpful

astroboydivx
Level 1
Level 1
In response to bmcgloth

‎07-11-2007 10:19 PM

Thanks for your posts.

0 Helpful

mflanigan
Level 1
Level 1

‎07-14-2007 06:00 PM

The PCI spec does specifically mention stateful "firewalls". We were successful in presenting a 6509 with VLANs for layer 2 segmentation, with the firewall feature set on the MSFC providing stateful capability. It took a bit of discussion, though. I think the auditors in general expect, and are more comfortable with, physical separation.

0 Helpful

pplsi
Level 1
Level 1
In response to mflanigan

‎12-26-2007 12:48 PM

We have had 2 different PCI audits and neither organization would accept ACLs.

0 Helpful

douhanm
Level 1
Level 1
In response to pplsi

‎01-04-2008 01:36 PM

interesting, we are successful with ACL's for internal segmentation and Firewalls for internet and wireless connectivuty

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card