03-05-2017 10:41 AM - edited 03-08-2019 09:37 AM
Hi All,
I am tasked with ensuring PCI compliance on computers that process credit card data. I know I can use VLANs for segmenting them from the main network but should I allow all other vlans to access the new subnet? If I don't then file servers or other resources that exist on the main network will be unavailable? What is the best practice?
Thank you,
Solved! Go to Solution.
03-05-2017 11:21 AM
Hi
You could use Vlan ACL for this kind of task, so you will allow the required access and give a double protection (vlan segmentation and restrictions) to your subnet.
03-05-2017 11:21 AM
Hi
You could use Vlan ACL for this kind of task, so you will allow the required access and give a double protection (vlan segmentation and restrictions) to your subnet.
03-05-2017 02:48 PM
Hi,
For PCI compliance, you really need guidelines from you security department, as any organization that deal with credit card information is subject to audit ones or multiple times a year (depending on the amount of transaction). As for best practice, you can use router ACL, to allow or disallow communication, but the ACLs need to be logged and send to a syslog server. In addition, you also have to log all flows and be able to keep the data for a certain amount of time in case you get audited. Overall, firewalls do a better job when it comes to controlling traffic between hosts/segments as well as logging flows based on ports and protocols.
See page 12 in this doc:
https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide