Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL and PCI Compliancy ?

I am installing a new 5520 with IPS for a client, and they were asking about the PCI compliance of the SSL(WebVPN) being self signed.  I am not sure what document to find this information from under the PCI DSS.  There was also mention about dual authentication being needed, but without seeing the actual requirements, I am just guessing at it.

If anyone can point me in the right direction or explain the low down on what is required for making SSL PCI compliant, I would be very grateful.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: SSL and PCI Compliancy ?

I'm not aware of any outright prohibition against self-signed certificates but would personally prefer ones from a trusted root CA - either enterprise PKI or third party. To me, it demonstrates a greater security awareness.

PCI DSS requirement 8.3 does require two-factor authentication:

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)

Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

You can setup an ASA with two-factor schemens (RSA SecureID plus LDAP etc.)

5 REPLIES

Re: SSL and PCI Compliancy ?

look at pcisecuritystandards.org. You'll see that the pci dss says nothing about the type of VPN chosen. Authentication is defined but the specific transport mechanism is not defined.

Sent from Cisco Technical Support iPad App

Hall of Fame Super Silver

Re: SSL and PCI Compliancy ?

I'm not aware of any outright prohibition against self-signed certificates but would personally prefer ones from a trusted root CA - either enterprise PKI or third party. To me, it demonstrates a greater security awareness.

PCI DSS requirement 8.3 does require two-factor authentication:

8.3 Incorporate two-factor authentication for remote access (network-level access originating from outside the network) to the network by employees, administrators, and third parties. (For example, remote authentication and dial-in service (RADIUS) with tokens; terminal access controller access control system (TACACS) with tokens; or other technologies that facilitate two-factor authentication.)

Note: Two-factor authentication requires that two of the three authentication methods (see Requirement 8.2 for descriptions of authentication methods) be used for authentication. Using one factor twice (for example, using two separate passwords) is not considered two-factor authentication.

You can setup an ASA with two-factor schemens (RSA SecureID plus LDAP etc.)

New Member

Re: SSL and PCI Compliancy ?

Thanks, that is the answer I was looking for.  So using a CA for SSL(Anyconnect Essentials) and Radius/LDAP would meet that requirement?

Hall of Fame Super Silver

Re: SSL and PCI Compliancy ?

You're welcome.

No, the SSL (with or without CA) doesn't have anything to do with authentication per se. That's just protection of the data in transit.

Two factor authentication would be, for example, being challenged for a PIN from a hardware token (like a SecureID card) after you present your LDAP (or Radius or TACACS etc.) credentials. It's often referred to as "something you have (the hardware token generating PINs or passcodes) and something you know (your LDAP password)".

When implementing systems that require PCI compliance, there should be an accreditor in the organization who is cognizant of the requirements levied on the various subsystems and knowledgeable about advising the responsible parties what's expected from them. PCI cannot be looked at solely based on individual pieces of the system but must rather be considered as a whole.

New Member

Re: SSL and PCI Compliancy ?

What would you use for an iPad since it doesnt have a usb connection on it for the key. (BTW I picked up a Yubikey to play with)

1271
Views
0
Helpful
5
Replies