At least two or three times each week we’re asked how NetFlow relates to PCI compliance. Our answer is crisp and simple. No fancy requirement references or complicated legal speak, just practical advice that’s actually useful for those concerned with the PCI audit process. There are three key areas NetFlow and IPFIX analysis can aid the enterprise as it relates to PCI:
Verify Access Controls and Ensure Server Isolation
A core aspect of PCI compliance is isolation of payment card information from untrusted hosts such as the Internet, BYOD wireless environments, and guest networks. Firewalls are the primary mechanism used by IT to isolate PCI-sensitive servers. As the firewall rule-base increases in complexity, so does the likelihood of a mistake that could expose sensitive PCI assets to potential attackers.
Network flows can be used to verify firewall rules are properly implemented and identify faults in firewall policies. Administrators can set up flow-based thresholds that alarm when an error in an access control policy occurs.
Investigate Potential Threats and React Quickly
Once implemented, a NetFlow / IPFIX collector such as Plixer’s Scrutinizer NetFlow Analyzer maintains a 24x7x365 audit trail of all network communications. Every IP communication that occurs on the network is stored and indexed by the NetFlow collector. This continuous monitoring process extends to any device on the network that supports NetFlow or IPFIX such as Cisco Catalyst switches, Enterasys devices, Palo Alto firewalls, and even VMware servers. So when someone calls you and says “we had a hickup with the VisaNet PCI server last night at 7pm” you can quickly pull up a list of all active connections to/from the server around the time frame in question. You can then compare the server’s behaviors to the same period the previous night or even the previous week at the same time.
Flows will CYA in case of an intrusion and mitigate further damage from attacks such as APTs or insider threats. You’ll get to the root cause faster as a result of flow-based network auditing.
Impress the Auditors
When the auditor is standing over your shoulder and asking questions like “how do you verify that your PCI-sensitive data isn’t exposed to the Internet?” or “what do you do when an intrusion occurs?” you’ll be able to point to your Scrutinizer NetFlow Analyzer and say “we use network flow analysis technology to audit, verify, and quickly react to potential threats”.
Bottom line: The auditor will be impressed. You’ll look good. Your boss will look good. Everyone wins. Flow analysis technology is the hallmark of a sophisticated IT program and will indicate to the auditor that you know what you’re doing and that the customer’s credit card information is in good hands.
To learn more about how NetFlow and IPFIX can help you maintain PCI compliance contact us. In the mean time download a free 30 day evaluation of Scrutinizer and see for yourself how powerful flows can be for PCI compliance.
Tags: firewall validation, ipfix, NetFlow, pass pci audit, pci compliance