PCI-DSS Network Segmentation and encrypted administrative interfaces

Question

I'm using the 3/2/1 network segmentation model from the open pci dss scoping toolkit and I'm running into a bit of a mental roadblock. I have a phone system (Mitel 5000 series, if it matters) that is on my segmented internal network.

The phone system appears to be firewalled. nmap shows only standard web and SSH management ports. However this system technically is level 1 as we do take a large number of calls that contain cardholder information.

Based on the toolkit this is technically a breach since L3 systems can potentially access a L1. At the same time the only access across the network is encrypted management traffic. That meets the PCI-DSS specs for any publicly available network.

How do I treat this situation? Why?

Note - I'm aware that the QSA is the final answer on this as any PCI related question. I'm looking more for best practice and the logic behind it for these kind of cases.

Answer 1

The telephony network is in scope because it transmits cardholder data. The telephony network appears to be on it's own network segment (L1) with controlled access only for administration.

You could use a bastion host for administration of all L1 systems. The bastion host could be located in its own L2 segment. This bastion host could be used by L3 systems as an administrative proxy for systems in L1/L2 segments. Access to the administrative interfaces could be limited to that bastion host only.

The above would also suit for a remote worker. That worker would use two-factor authentication to access the internal network then use a session on the bastion host to manage systems within the L1 and L2 networks.

While the Open PCI Scoping Toolkit has its merits for guidance, if you follow it strictly I find it loses some sense.

It's worth remembering that the next version of the PCI DSS will be released in October of this year (2013) and will probably have new requirements such that segmentation will no longer be adequate and isolation will be required. In your example above, you may have a trusted cardholder data environment and a fully separate untrusted corporate environment which would require two-factor authentication and separate authentication systems. More detail on this should be available in September.