Assessed entity question: Can switches get updates from the internet, and remain PCI compliant?
QSA’s Sarcastic Question:
Where else do patches come from? 🙂 I presume you mean the device actively getting updated from the internet.
QSA’s Real Questions:
What kind of switches do this?
What is the exact mechanism?
What is the direction of connection establishment?
Analysis/Guidance:
The fast patching helps you meet 6.2. And don’t the cloud managed WiFi access points already work this way?
And as long as the connections don’t violate 1.3, I cant think of any other applicable requirements.
Some PCI Requirements to consider
1.2 Build firewall and router configurations that restrict connections between untrusted networks and any system components in the cardholder data environment.
It is essential to install network protection between the internal, trusted network and any untrusted network that is external and/or out of the entity’s ability to control or manage. Failure to implement this measure correctly results in the entity being vulnerable to unauthorized access by malicious individuals or software.
For firewall functionality to be effective, it must be properly configured to control and/or limit traffic into and out of the entity’s network.
1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
Examination of all inbound and outbound connections allows for inspection and restriction of traffic based on the source and/or destination address, thus preventing unfiltered access between untrusted and trusted environments. This prevents malicious individuals from accessing the entity’s network via unauthorized IP addresses or from using services, protocols, or ports in an unauthorized manner (for example, to send data they’ve obtained from within the entity’s network out to an untrusted server).
Implementing a rule that denies all inbound and outbound traffic that is not specifically needed helps to prevent inadvertent holes that would allow unintended and potentially harmful traffic in or out.
1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.
While there may be legitimate reasons for untrusted connections to be permitted to DMZ systems (e.g., to allow public access to a web server), such connections should never be granted to systems in the internal network. A firewall’s intent is to manage and control all connections between public systems and internal systems, especially those that store, process or transmit cardholder data. If direct access is allowed between public systems and the CDE, the protections offered by the firewall are bypassed, and system components storing cardholder data may be exposed to compromise.
Assessed Entity Response:
We have Cisco switches that need to communicate to the Cisco website in order to update the licensing information (Cisco Smart Licensing).
If we allow this specific access on the firewall for the switches, will they be PCI compliant?
My followup to Assessed Entity:
I presume:
- the switches initiate the connection.
- The layer 3 interfaces of the switches are firewalled from the internet.
- Only required traffic is allowed through.
If that is the case, I don’t think Cisco Smart Licensing Deployment would affect your PCI DSS compliance status.
I would expect:
- That your Cisco device configuration/hardening standard documentation be updated with any changes.
- That Cisco’s recommendations for deployment be followed. (Cisco does describe the direct connection as the least secure method of implementation.)
So, yes, I think its fine.
(personal note: I would take Cisco’s advice and not deploy or allow the direct connections. I can see that going awry in the future! 😊 )
Ad below this line:
