3

I understand that it may be a best practice to hide in-PCI-scope-elements like databases inside a VLAN without a public address and also strict firewall rules.

However, my questions is: can interconnected dedicated servers with public IP addresses each, that follow strict inbound and outbound firewall rules for every connection also be PCI DSS compliant?

This seems to be a dumb question but at work they interpreted the PCI DSS guidelines as the requirement that servers must not have a public IP address (not speaking about the front-end servers though).

Vilican
  • 2,703
  • 8
  • 21
  • 35
BitLegacy01
  • 75
  • 3
  • It's not a dumb question at all. Just to clarify something: do any of your in-scope database servers holding PII directly interact with traffic from the internet? – mostlyinformed Jan 30 '16 at 00:39
  • @halfinformed yes, but only traffic that is restricted by source IP and destination IP for cases like updating the software using the official repositories. Everything unwanted is dropped though. We also plan to put a mysql proxy software like maxscale in front of the databases services. – BitLegacy01 Feb 01 '16 at 12:58
  • I mean, for me it sounds like you might actually just have a pretty straightforward matter about having compliant firewall policies in place to protect those servers from the Internet. Which, in turn, basically breaks down to (1) does your firewall allow any *inbound* traffic from the general Internet ( off-hand, it sounds like you shouldn't have any need for that), and (2) ensuring your outbound traffic can only go to a small number of carefully specified, trusted IP addresses and/or domains to do a few essential things. (Very restrictive whitelisting, really.) – mostlyinformed Feb 02 '16 at 06:54
  • 1
    Actually, at first I thought your question was about segmentation--segmenting off your server zone (so to speak) from there rest of your internal network so that if one of your machines in the network was compromised an attacker would find it very hard or impossible to get to those servers and the info on them. Which under PCI also has the nice effect of rendering the machines not in the segment out-of-scope for purposes of the PCI rules. (I think the Answer you got below also comes at this from the segmentation standpoint, not the border firewall standpoint.) – mostlyinformed Feb 02 '16 at 07:20

1 Answers1

7

The short answer is yes, but it's more difficult.

The main principle of using VLANs to segregate the PCI DSS environments is reducing scope for assessment and maintenance. If you reduce the scope, then only the servers which need to be compliant are assessed.

If you don't segregate, then the rest of your network (and all the users of those devices) come under scope, too. It's not impossible, but it does complicate matters a lot more than simply configuring VLANs on you network.

Jozef Woods
  • 1,247
  • 8
  • 7
  • 1
    And by "more difficult", @Jozef means "much, much, much more expensive, burdensome, and risky". – Anti-weakpasswords Jan 31 '16 at 05:24
  • @Anti-weakpasswords Implying in-VLAN-scope servers don't need the same amount of hardening (firewalls, proxies, double authentication). – BitLegacy01 Feb 01 '16 at 13:07
  • 1
    @BitLegacy01 No, they do, but you don't need the same level of hardening, policy and change control on EVERY server, machine and user. – Jozef Woods Feb 01 '16 at 18:17