The Data Center Within A Datacenter
Download
Report
Transcript The Data Center Within A Datacenter
Copyright David Seidl, Bob Winding, Mike Chapple,
Bob Richman, 2008. This work is the intellectual
property of the author. Permission is granted for this
material to be shared for non-commercial,
educational purposes, provided that this copyright
statement appears on the reproduced materials and
notice is given that the copying is by permission of
the author. To disseminate otherwise or to republish
requires written permission from the author.
Property of the University of Notre Dame
1
The Data Center Within A Data
Center:
Building A Secure Environment
For Compliance
EDUCAUSE Security Professionals
May, 2008
Property of the University of Notre Dame
Why Are We Here
Today?
• Universities are dealing with increasing
compliance burdens.
– HIPAA, FERPA, GLBA, PCI DSS, FDA, and more
• Management is more open to solutions that
spend up front money to control staff and
infrastructure costs over time.
– Simplification of compliance efforts is key.
• Current technology allows new approaches.
– Virtualization and segmentation
Property of the University of Notre Dame
3
Agenda
•
•
•
•
•
PCI DSS Background
Notre Dame’s Environment
Payment Card Environment Design
Networking Infrastructure
Deployment: Departments and Decentralized IT
Property of the University of Notre Dame
4
PCI DSS History
Visa Cardholder
Information Security
Program (CISP)
Mastercard Site
Data Protection
Program (SDP)
Payment Card Industry
Data Security Standard
(PCI DSS)
Discover Information
Security Compliance
Program (DISC)
Property of the University of Notre Dame
American Express
Data Security
Standard (DSS)
5
Compliance Requirements:
the Digital Dozen
Build and Maintain a
Secure Network
Protect Cardholder Data
Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other
security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Use and regularly update anti-virus software
Management Program Develop and maintain secure systems and applications
Restrict access to cardholder data by business need-to-know
Implement Strong Access
Assign a unique ID to each person with computer access
Control Measures
Restrict physical access to cardholder data
Regularly Monitor and Track and monitor all access to network resources and cardholder data
Test Networks
Regularly test security systems and processes
Maintain an Information
Maintain a policy that addresses information security
Security Policy
Property of the University of Notre Dame
6
Who Must Comply?
• “Payment Card Industry (PCI) Data Security requirements
apply to all Members, merchants, and service providers
that store, process or transmit cardholder data.”
• “Additionally, these security requirements apply to all
system components which is defined as any network
component, server, or application included in, or
connected to, the cardholder data environment.”
That Probably
Means You
Property of the University of Notre Dame
7
Merchant Levels
Merchant
Level
Description
1
Any merchant who processes over 6,000,000
transactions annually.
Any merchant designated Level 1 by Visa
2
Any merchant who processes between 1,000,000
and 6,000,000 transactions annually.
3
Any merchant who processes between 20,000 and
150,000 e-commerce transactions annually.
4
Anyone else
Property of the University of Notre Dame
8
Merchant Levels
• All merchants, regardless of level, must
comply with all elements of the PCI DSS
standard!
• Merchants at different levels have different
validation requirements
– Higher merchant levels cost significantly more to
meet validation requirements.
Property of the University of Notre Dame
9
Consequences
• Reputational Risk
– What will the impact be on your institution’s brand?
– Mandatory involvement of federal law enforcement in
investigation
• Financial Risk
– Merchant banks may pass on substantial fines
– Up to $500,000 per incident from Visa alone
– Civil liability and cost of providing ID theft protection
Property of the University of Notre Dame
10
Consequences
• Compliance Risk
– Exposure to Level 1 validation requirements
• Operational Risk
– Visa-imposed operational restrictions
– Potential loss of card processing privileges
Property of the University of Notre Dame
11
Agenda
•
•
•
•
•
PCI DSS Background
Notre Dame’s Environment
Payment Card Environment Design
Networking Infrastructure
Deployment: Departments and decentralized IT
Property of the University of Notre Dame
12
Notre Dame’s Environment, Circa 2006
• Over 70 merchant accounts, 15 applications
• No central oversight
• One day all of that changed…
Property of the University of Notre Dame
13
• (Campus payment diagram)
Property of the University of Notre Dame
14
Notre Dame’s Approach
• First, we conducted a risk assessment in
conjunction with a PCI consulting firm
• From that, launched a credit card security
program
– First Goal: Minimize on-campus card processing
– Second Goal: Migrate existing systems to a dedicated,
isolated network
• Then we worked to reduce our footprint and
then secure what was left
Property of the University of Notre Dame
15
Reducing Our PCI
Footprint
• Identify merchant accounts and payment
locations.
• Assess which systems can be moved to 3rd
party vendors.
– Non-specialized systems are the low hanging fruit.
• Simplify environments where possible.
Property of the University of Notre Dame
16
Design Concept
• PCI compliance requirements apply by
contagion: anything that touches it becomes
infected.
• Separating using acceptable methods
decreases your compliance footprint.
• VPN, firewalling, and dedicated infrastructure
make control simpler.
Property of the University of Notre Dame
17
Agenda
•
•
•
•
•
PCI DSS Background
Notre Dame’s Environment
Payment Card Environment Design
Networking Infrastructure
Deployment: Departments and decentralized IT
Property of the University of Notre Dame
18
The Datacenter Within A
Datacenter
• Identify all services needed for the card
processing systems:
– Management systems
– Infrastructure support
– Compliance systems
– Monitoring systems
• Scope and size systems
• Set standards for those systems
Property of the University of Notre Dame
19
Design: ND’s PCI Architecture
• Architecture diagram not included for public
release.
Property of the University of Notre Dame
20
System and Security
Components
• Secure Computing Firewall
• Cisco VPN
• Two factor Safeword authentication to
infrastructure (VPN)
• Tripwire server integrity assurance
• Juniper IDS
• Qualys vulnerability scanners – inside, campus
perspective, and off-campus viewpoints.
– PCI compliance module
Property of the University of Notre Dame
System and Security
Components
• Infrastructure – NTP, AD, ePO AV, monitoring,
IP KVM, central logging, update servers, etc.
• POS clients and servers
– Device configuration standards
• WebInspect
• HighTower SIM device for log and event
analysis and monitoring.
Property of the University of Notre Dame
Firewall and IDS design
•
•
•
•
•
•
•
Firewall isolates all PCI traffic
Single external physical interface
Single internal interface with multiple VLANs
Zones organized by function
Some special zones for campus systems
Remote Sites connected through VPN concentrator
Passive IDS (tried IPS) monitors all internal traffic
Property of the University of Notre Dame
Sidewinder Firewall
• Application proxy firewall
• Default deny inbound and outbound
• Group based VPN, access restricted by job
function
• Least privilege rule base
• All access explicitly controlled
Property of the University of Notre Dame
Key Internal Zones
Property of the University of Notre Dame
Key Internal Zones
Application
Servers
POS BURB (192.168.3.0/24)
Public Web
Servers
DNS
DMZ BURB (192.168.5.0/24)
IDS/IPS Sensor -
NETMGT BURB (192.168.6.0/24)
Property of the University of Notre Dame
Network gear
interfaces
Key Internal Zones
192.168.7.0/24 – Odyssey Private
192.168.58.240/29 – Odyssey Public
Odyssey Burbs
Backup BURB (192.168.8.0/24)
Scribe
Scanner BURB (192.168.15.0/29)
scanner
Property of the University of Notre Dame
Isolating Systems
• Diagram not provided for public release.
Property of the University of Notre Dame
Isolating Systems
Internet/Campus
All system interfaces are on
dedicated logical firewall
interfaces
Datacenter
Firewall
PCI Firewall
Private
PCI Interface
`
Public
Vulnerability
Scanner
Datacenter
Private
`
`
Central Backup
Odyssey
Property of the University of Notre Dame
Agenda
•
•
•
•
•
PCI DSS Background
Notre Dame’s Environment
Payment Card Environment Design
Networking Infrastructure
Deployment: Departments and decentralized IT
Property of the University of Notre Dame
30
Network Design
From the PCI Standards Document:
1. Encryption of data over open, public
networks
2. Follow change control procedures
3. Review logs for all system components daily
Property of the University of Notre Dame
Challenges
Encryption of data over open, public networks.
• Required over ‘secure’ vlans?
Property of the University of Notre Dame
Challenges
Follow change control procedures.
– Initial design thoughts incorporated ‘secure’ vlans
that we present at each endpoint on campus.
– This would have involved implementing change
control on more than 150 network devices,
including access layer switches.
Review logs for all system components daily.
– Workload for 150 devices would have been high
Property of the University of Notre Dame
Devices requiring change
control with ‘secure’ vlan
Property of the University of Notre Dame
Our solution: Remote site
VPNs
• Utilizes Cisco 3015 VPN concentrator with
Cisco 851 VPN routers for endpoints.
• Extends the PCI network where we need it.
• We provide user subnet space based on
customer need:
– Stand-alone credit card terminals
– POS devices
– Single use computers
Property of the University of Notre Dame
Additional Benefits of VPN
• The VPN tunnel provides a secure method of
managing network devices.
• Provides a means of remote access for system
administrators
• Fewer devices to manage.
• Provides for easier additions to the PCI
network.
Property of the University of Notre Dame
Agenda
•
•
•
•
•
PCI DSS Background
Notre Dame’s Environment
Payment Card Environment Design
Networking Infrastructure
Deployment: Departments and decentralized IT
Property of the University of Notre Dame
37
Deployment:
Departments and Decentralized IT
Property of the University of Notre Dame
38
Two Types of Support
• Central IT
• Departmental IT
– Fewer technical users.
– Existing payment
solutions are often
inherited.
– Responsibility for
payment system is often
not clearly defined.
Property of the University of Notre Dame
– Internal processes and
procedures.
– Often very small staff,
broad responsibilities.
– Payment solutions are
often provided by
external vendors.
– Responsibility for
payment system is often
inherited.
39
Existing systems
• Food Services
• Theater Ticketing and
Events
– Many terminals
– Other services blended
in: vending machines,
food service displays,
and campus “Domer
Dollars”
– Many locations
– Blend of commercial and
custom software
– Departmental IT
Property of the University of Notre Dame
– Single location
– Mobile and static
workstations
– Web driven
– Single commercial
software package
– Only standard
transactions
– Central IT
40
Deployment Steps
•
•
•
•
•
Review existing architecture
Design solution
Build required resources
Test
Migrate into production
– Often in phases
– Often unexpected hurdles due to legacy systems
and applications
Property of the University of Notre Dame
41
Challenges
• Process: creating a controlled system for
adding new systems and handling changes.
• Lack of vendor documentation of protocols –
many large high port groupings, reliance local
broadcast for discovery, etc.
• Split system administration
• DR for systems designed without DR
capabilities.
Property of the University of Notre Dame
42
Lessons Learned
• Review vendor documentation and current
implementation.
– Historic designs are often still in use.
• Dataflow diagrams are crucial.
• Provide a fast troubleshooting process and a
defined support team.
• Provide a single point of responsibility with
backup for migrations.
Property of the University of Notre Dame
43
Questions
Property of the University of Notre Dame
44