Michael McNamara

technology, networking, virtualization and IP telephony

Supplemental PCI DSS scoping guidance

by

I didn’t particularly loathe HIPAA and I don’t really hate PCI but they can both be confusing and often difficult to follow because they are both open to a measure of interpretation by whomever is doing the reading. The PCI Security Standards Council just recently released a document providing additional (supplemental) guidance regarding network segmentation and scope boundaries for cardholder data environments.

Guidance for PCI DSS Scoping and Network Segmentation

The following excerpt neatly sums up the reasoning for the additional guidance;

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

It’s not just enough that you firewall your PCI VLAN, assuming that you have a PCI VLAN. Interestingly enough the this document doesn’t really touch on tokenization and it’s impact on the in-scope systems. In fact the the only guidance regarding tokenization from the PCI Security Standards Council is dated August 2011, PCI DSS Tokenization Guidelines.

It would have been very helpful for the PCI Security Standards Council to also highlight how tokenization can reduce the footprint of in-scope systems.

Cheers!

Avaya Ethernet Routing Switch 4800 Series – Configuration Template

by

Avaya4824GTS-PWRThis is a follow-up post to my wildly popular article entitled, Nortel ERS 5520 PwR Switch which I posted back in October 2007 providing a working configuration for an Avaya Ethernet Routing Switch 5520 for IP telephony deployments.

Here’s the configuration template that I’m currently using today for the Avaya Ethernet Routing Switch 5500, 4800 and 4500 series switches. This is essentially a best practices configuration for a typical closet/edge switch (Layer 2) with ADAC/LLDP-MED for completely automated, zero-touch IP telephony deployments.

With the firmware that currently ships with the Avaya 1100 and 1200 series IP phones you only need to unbox the phone and connect it to the network. You’ll also need to make sure that you have your provisioning files setup properly but you can easily attain a zero-touch configuration for greenfield deployments.

Please note there are a some options in this post which are only available in the later software releases for each switch model. These commands were tested on an Avaya Ethernet Routing Switch 4850GT-PWR+ running 5.6.2 software.

We need to be in privileged mode before we can enter configuration mode;

enable
configure terminal

Let’s start by setting the read-only and read-write passwords (the default usernames are RO=read-only and RW=read-write)

cli password read-only ropassword
cli password read-write rwpassword
cli password serial local
cli password telnet local

If you don’t care to see the banner when connecting via telnet then disable it;

banner disable

If you are working with an Avaya Ethernet Routing Switch 5000 series switch let’s disable the UI button on the outside of the switch. This feature is only available on the ERS 5000 series switches so this command won’t work with the ERS 4000 series switches.

no ui-button enable

Let’s set VLAN control to autopvid, this will instruct the switch to change the PVID to the VLAN assigned to the port for access (UntagAll) ports.

vlan configcontrol autopvid

If we have 2 or more switches in a stack configuration we’ll utilizing ports on both switches for our uplinks, 1/48 and 2/48. If we only had a single switch and not a stack of switches we would use 47 and 48. We need to enable 802.1Q trunking (TagAll) and filter (drop) and untagged frames that might accidentally be sent across the port.

vlan ports 1/48,2/48 tagging enable
vlan ports 1/48,2/48 filter-untagged-frame enable

As a best practice you should never use VLAN 1, too many reasons to list here. By default ever port is a member of VLAN 1 so let’s remove VLAN 1 from all ports;

vlan members remove 1 ALL

Let’s create a management VLAN and add that VLAN to our 802.1Q uplinks;

vlan create 200 name "10-107-255-0/24" type port
vlan members add 200 1/48,2/48

Let’s create a (default) closet VLAN and add that VLAN to all the ports in the stack;

vlan create 10 name "ICR1_1stFloor" type port 
vlan members add 10 1/ALL,2/ALL

Let’s create a voice VLAN which we’ll using in our ADAC and LLDP-MED configurations and we’ll add that VLAN to our uplinks;

vlan create 11 name "Voice" type port voice-vlan
vlan members add 11 1/48,2/48

[Read more…]

Recent Posts

Categories

SUBSCRIBE BY EMAIL