[Owasp-pci-project] What is the definition of...

Ralph Durkee rd at rd1.net
Wed Aug 26 16:25:04 EDT 2009 


> Could you expand on "1 primary function per server" in the scenario of:
>
> - 1 OS running multiple instances of a database (all storing PCI stuff)

There's no segmentation required here, its ok to have multiple PCI
databases, or even non credit Card DBs as long as everything meets PCI
standards.

> - 1 OS running multiple instances of a database partitioned via either
> solaris containers or chroot where the root OS and PCI instances are in
> a different jail. Assume that PCI and non-PCI traffic exits out of
> different NICs and that the non-PCI instances couldn't even route/sniff
> traffic on the PCI side.

The chroot is an easy answer in that it's not sufficient segmentation, it
limits access to the file system, but doesn't provide strong boundaries
for the rest of the OS.

Ok, so were attempting to keep some of the Solaris containers out of PCI
scope, while some containers are in PCI scope. The requirement is to have
a network segmentation to limit scope.  This one is more difficult, if the
container/zone was configured securely with no or minimal sharing, and the
network interface isolation, and host based firewall... I think you could
make a pretty strong argument here from a risk analysis point of view, and
it might possibly be approved as a mitigating control, but I would expect
most QSAs would say it's not acceptable.  To make this a simpler case,
consider virtual servers, such as VMWare guest and hosts.  It's easy to
point to industry best practice (such as CISecurity.org) to say that all
guests on the same host should have similar risk and critical
requirements.

Giving this some more thought... given that a PCI DB on the same hardware
as a PCI Web server is not accepted for 2.2.1, and 1.3.7 then it doesn't
make sense to allow the same solution for PCI & non-PCI segmentation.

So I'm back to arriving at an answer of No.
Although I'd be interested in hearing from others.

--Ralph


>
> ________________________________
>
> From: Ralph Durkee [mailto:rd at rd1.net]
> Sent: Wednesday, August 26, 2009 12:34 PM
> To: McGovern, James F (HTSC, IT)
> Cc: <owasp-pci-project at lists.owasp.org>
> Subject: Re: [Owasp-pci-project] What is the definition of...
>
>
>
>
> On Aug 26, 2009, at 11:30 AM, "McGovern, James F (HTSC, IT)"
> <James.McGovern at thehartford.com> wrote:
>
>
>
> 	Can one use Solaris Containers as a component of segmentation?
>
> No, if it's the net segmentation between db & mid/web tier.
> Yes, if it used to meet other 1 primary function per server requirements
> also should they have seperate network interfaces. Physical preferred ,
> logical ok.
> Obviosly the sharing of resources between the containers has to be
> reviewed too.
>
>
>
> 	What about chroot on Linux?
>
> No.
>
> --Ralph Durkee
>
>
> 	************************************************************s
> 	This communication, includingo attachments, is for the exclusive
> use of addressee and may contain proprietary, confidential and/or
> privileged information.  If you are not the intended recipient, any use,
> copying, disclosure, dissemination or distribution is strictly
> prohibited.  If you are not the intended recipient, please notify the
> sender immediately by return e-mail, delete this communication and
> destroy all copies.
> 	************************************************************
>
> 	_______________________________________________
> 	Owasp-pci-project mailing list
> 	Owasp-pci-project at lists.owasp.org
> 	https://lists.owasp.org/mailman/listinfo/owasp-pci-project
>
>
> ************************************************************
> This communication, including attachments, is for the exclusive use of
> addressee and may contain proprietary, confidential and/or privileged
> information.  If you are not the intended recipient, any use, copying,
> disclosure, dissemination or distribution is strictly prohibited.  If you
> are not the intended recipient, please notify the sender immediately by
> return e-mail, delete this communication and destroy all copies.
> ************************************************************
> _______________________________________________
> Owasp-pci-project mailing list
> Owasp-pci-project at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-pci-project
>

More information about the Owasp-pci-project mailing list