Solved: SSL and PCI Compliancy ?

tahequivoice · ‎02-02-2012

I am installing a new 5520 with IPS for a client, and they were asking about the PCI compliance of the SSL(WebVPN) being self signed. I am not sure what document to find this information from under the PCI DSS. There was also mention about dual authentication being needed, but without seeing the actual requirements, I am just guessing at it.

If anyone can point me in the right direction or explain the low down on what is required for making SSL PCI compliant, I would be very grateful.

Marvin Rhoads · ‎02-02-2012

I'm not aware of any outright prohibition against self-signed certificates but would personally prefer ones from a trusted root CA - either enterprise PKI or third party. To me, it demonstrates a greater security awareness.

PCI DSS requirement 8.3 does require two-factor authentication:

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)

Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

You can setup an ASA with two-factor schemens (RSA SecureID plus LDAP etc.)

View solution in original post

Jeff Van Houten · ‎02-02-2012

look at pcisecuritystandards.org. You'll see that the pci dss says nothing about the type of VPN chosen. Authentication is defined but the specific transport mechanism is not defined.

Sent from Cisco Technical Support iPad App

Marvin Rhoads · ‎02-02-2012

I'm not aware of any outright prohibition against self-signed certificates but would personally prefer ones from a trusted root CA - either enterprise PKI or third party. To me, it demonstrates a greater security awareness.

PCI DSS requirement 8.3 does require two-factor authentication:

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)

Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

You can setup an ASA with two-factor schemens (RSA SecureID plus LDAP etc.)

tahequivoice · ‎02-03-2012

Thanks, that is the answer I was looking for. So using a CA for SSL(Anyconnect Essentials) and Radius/LDAP would meet that requirement?

Marvin Rhoads · ‎02-03-2012

You're welcome.

No, the SSL (with or without CA) doesn't have anything to do with authentication per se. That's just protection of the data in transit.

Two factor authentication would be, for example, being challenged for a PIN from a hardware token (like a SecureID card) after you present your LDAP (or Radius or TACACS etc.) credentials. It's often referred to as "something you have (the hardware token generating PINs or passcodes) and something you know (your LDAP password)".

When implementing systems that require PCI compliance, there should be an accreditor in the organization who is cognizant of the requirements levied on the various subsystems and knowledgeable about advising the responsible parties what's expected from them. PCI cannot be looked at solely based on individual pieces of the system but must rather be considered as a whole.

tahequivoice · ‎02-09-2012

What would you use for an iPad since it doesnt have a usb connection on it for the key. (BTW I picked up a Yubikey to play with)