As I said in Part I, The PCI DSS Wireless Guidance document is filling out a very important need. Today I will continue analyzing this Wireless Guidance document. I will number them and ask that you refer to that number in your comments on my suggestions. Remember – the goal is to help improve the document.
How to Improve on the PCI DSS Wireless Guidelines Document – Part II
A small matter, but (7) the definition of part B.,,
whereby a hub switch or other network device …transmits cardholder data is not accurate. Why don’t we define it, for these purpose, as a non-segmenting network device that can submit and receive data Would that work better? Leaving it as is breaks your demaraction example and your "directly" connected assumption.
A bigger problem appears with figure 3:
If you define the firewall as the Demarc point, as done above, and then try including a wireless access point "F" inside the perimeter, as drawn here, there is a danger of causing confusion about what is proper and what is right. By marking the network device "B" as an Unrouted Switch (which I believe is done in order to parallel the picture above), a dangerous possibility of complete non-segmentation exists here. Simply put: I believe it possible for an architect or non-security technologist to design to this diagram. Why don’t we (8) display the right-and-proper way to do it instead?
Section 2.1.3 does provide a more appropriate segmentation of the network. Placing any wireless access point on a different network is a proper way to do so, considering the business fact of "There is a different risk profile to wireless networks". As I said before:
If there is no business reason to do it, don’t do it.
More detail on the analysis of this paper will be next week, on Monday.
Thank you for reading!
Mondays into PCI -days; Tuesdays into Cloud-days; Wednesdays into weekly-special-subject-days; Thursdays into guest-blogger-days; and Fridays into surprise-days.
- Where PCI DSS Falls Short (and How to Make it Better)
- PCI DSS Wireless Analysis and Recommendations
- PCI DSS Wireless Analysis and Recommendations, Part 2
- PCI DSS Wireless Analysis and Recommendations, Part 3
- PCI DSS Wireless Analysis and Recommendations, Part 4
- PCI DSS Wireless Analysis and Recommendations, Part 5