Solved: Hi

eddie.sardinha · ‎03-05-2017

Hi All,

I am tasked with ensuring PCI compliance on computers that process credit card data. I know I can use VLANs for segmenting them from the main network but should I allow all other vlans to access the new subnet? If I don't then file servers or other resources that exist on the main network will be unavailable? What is the best practice?

Thank you,

Julio E. Moisa · ‎03-05-2017

Hi

You could use Vlan ACL for this kind of task, so you will allow the required access and give a double protection (vlan segmentation and restrictions) to your subnet.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

View solution in original post

Julio E. Moisa · ‎03-05-2017

Hi

You could use Vlan ACL for this kind of task, so you will allow the required access and give a double protection (vlan segmentation and restrictions) to your subnet.

>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Reza Sharifi · ‎03-05-2017

Hi,

For PCI compliance, you really need guidelines from you security department, as any organization that deal with credit card information is subject to audit ones or multiple times a year (depending on the amount of transaction). As for best practice, you can use router ACL, to allow or disallow communication, but the ACLs need to be logged and send to a syslog server. In addition, you also have to log all flows and be able to keep the data for a certain amount of time in case you get audited. Overall, firewalls do a better job when it comes to controlling traffic between hosts/segments as well as logging flows based on ports and protocols.

See page 12 in this doc:

https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf

HTH

VLANS & PCI compliance