There is some disagreement among members of my IT staff over a PCI-compliance scenario.
I have two networks connected through an intermediate corporate network. One of the networks resides behind a firewall (FWSM) and a F5 with a layer 7 firewall. Clients access a secure application through the F5 and firewall.
The other network is also behind firewalls (ASA pair with IPS), and that is where the clients who access the secure application reside. That network also invloves layer-2 security and lots of monitoring, etc.
There are two redundant links through the intermediate corporate network to get to the first network. All of the traffic between client and secure application is via https.
One of the engineers is insisting that these two networks have to be directly, physically connected. In other words, the WAN links would have to literally terminate on the firewalls on both sides (the connections are metro-ethernet through AT&T). He says we cannot send traffic through any devices on the corporate network that are not behind firewalls, even though the data is heavily encrypted.
This would involve serious technological hurdles, as the networks are geographically apart, and I need to run routing protocols to provide failover.
Is the engineer correct in terms of PCI compliance, or does this sound like a good setup?