0

Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side? Isn't that outside the scope of the PCI code?

talkinggoat
  • 23
  • 3

1 Answers1

1

Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side?

Not really. PCI dictates that there should be firewall rules in place to limit access, but if you can justify an any -> 22/ssh rule, then you've satisfied PCI.

Isn't that outside the scope of the PCI code?

Well, requiring firewall controls is within PCI scope; see §1.2 and §1.2.1 specifically. Interpreting whether the rules you've implemented are secure or insecure is up to the QSA; if you permit protocols like FTP or Telnet which are unencrypted, you need to show compensating controls. But there's no blanket prohibition of any -> rules, which seems to be what you're asking about.

This of course assumes that the device falls within scope, e.g., is part of or connected to your CDE. It sounds from your comments as if the device is completely disjointed from the CDE, in which case DSS doesn't apply. If you're trying to determine if something is in scope or not, I recommend the Guidance for PCI DSS Scoping and Network Segmentation

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • According to page 10 of PCI_DSS_v3-2-1, the scope includes, and I'm paraphrasing, any device, software or system that touches cardholder information. Since this is segmented away from the CDE network that contains cardholder data, it's not part of the CDE. Because requirements 1.2 and 1.2.1 are for in-scope, the controls should not apply, right? – talkinggoat Apr 16 '21 at 16:11
  • @talkinggoat correct, DSS does not apply if the device is completely divorced from the CDE. I assumed you were talking about a device that connected the CDE to the "unsecure, dirty side." – gowenfawr Apr 16 '21 at 17:07
  • how does this work, now? Do you want to amend your answer, so it reflects the new understanding? Personally, I think you should keep what you've written and just add to it. – talkinggoat Apr 16 '21 at 19:44
  • @talkinggoat I've appended to the answer to reflect the new understanding from the comments, and to provide some guidance for people who aren't sure whether their systems are in or out of scope. Better? – gowenfawr Apr 16 '21 at 20:17
  • Perfect. Marked it as the accepted answer. – talkinggoat Apr 16 '21 at 21:00