0

We placed a jump server in CDE to restrict the direct access to PCI in-scope devices (although I believe it should be outside CDE, please confirm)

Now, we have opened SQL ports 1433 and application ports from the jump server to the prod host in the CDE. If we allow them to run queries from the jump server itself instead of requiring them to log in to database server and run the query. What's the point of having a jump server?

In my opinion, we should access the jump server and then RDP / SSH into the protected server instead of opening the app in database ports because by opening the ports we have extended the original server to the jump server. Virtually leaving no difference between the jump and protected server.

What are the best practices around this?

I understand there is no one size fits all, but if there are some good do's and don'ts please suggest if opening 1433 for jump server for a critical asset is a good idea.

schroeder
  • 123,438
  • 55
  • 284
  • 319
user30026
  • 1
  • 1

2 Answers2

0

If a jump server is inside the CDE, any system eg. an administrator laptop using a jump server to access another server will come in the scope of PCI as any device that touches the CDE has to be a part of PCI scope. This expands the scope of PCI hence should not be considered a best practice

user30026
  • 1
  • 1
0

What's the point of having a jump server?

The point of having a jump box is to ensure that proper segmentation between the in-scope and out-of-scope is maintained while granting access to a remote admin port (SSH, RDP, etc.) from the out-of-scope corp net. A jump box should use an independent identity provider (i.e., should not federate with the main corporate Active Directory etc.) and should use 2FA -- essentially requiring secure access as if the corporate network were "untrusted".

The point of segmentation is to ensure that the compromise of an out-of-scope component should not impact the security of in-scope components. If the jump box is properly isolated, compromise of the out of scope corp AD domain means the authentication scheme of the jump box is not inherently compromised. For example, if the corp AD is compromised, an attacker couldn't access the jumpbox. If an attacker guessed/compromised a password for the jump box remote admin service, they would still (ideally) be stopped by the 2FA requirement. The convenience is direct access of remote service but these controls ensure it's segmented.

What are the best practices around this?

Regarding your situation, PCI does not directly address these details afaict. As long as segmentation as explained above is maintained, your architecture with direct access to MS-SQL does not raise any red flags. Best practices would be to follow the isolation practices above. (Jump box would be in-scope for PCI.)

[Note: Hope this helps. My perspective comes from doing PCI pentests in a consulting company and I answered this as if it were a question from a client. I am not a QSA, though.]

deletehead
  • 632
  • 4
  • 9