PCI DSS requires that network segmentation controls are penetration tested and that the methods used are operational and effective in isolating all out-of-scope systems from systems in the Cardholder Data Environment (CDE).
A robust approach to penetration testing is recommended to satisfy the requirement. By this, we mean actively attempting to identify routes and paths from networks outside of the CDE into the CDE. All segmentation methods employed should be tested. In very large networks, with many internal network segments, it may not be practical for the penetration tester to conduct specific tests from every single LAN segment. If this is the case, the penetration test testing should be planned to examine each type of segmentation methodology in use (i.e., firewall, VLAN ACL, etc.) in order to validate the effectiveness of the segmentation controls. The level of testing for each segmentation method used should provide reasonable assurance that the methodology is effective wherever it is used. In order to effectively validate the segmentation methodologies, the penetration tester should be able to demonstrate that he has worked with the organisation (or the organisation’s QSA), during the planning phase, to clearly understand all methodologies in use in order to provide complete coverage when testing.
The penetration tester could choose to include systems located in isolated LAN segments which are not directly related to the processing, transmission, or storage of cardholder data to ensure these systems could not impact the security of the CDE should they be compromised.
Performing PCI Segmentation Checks
The segmentation checks should be performed by conducting tests used in the initial stages of a network penetration test (i.e., host discovery, port scanning, etc.) The penetration tester should be able to verify that each network segment believed to be isolated from the CDE, genuinely has no access to the CDE. Where environments have a large number of network segments considered to be isolated from the CDE, a representative subset can be used for testing to reduce the number of segmentation checks that need to be performed. All unique segmentation methodologies should be covered to ensure that all security controls are functioning as intended.
If the segmentation check establishes that that the LAN segment does have access into the CDE, either the organisation needs to restrict that access or a full network-layer penetration test should be performed to characterise the access.
If you are affected by the issues raised in this article, please feel free to contact KRYPSYS to see how we can help to resolve them.