David recently asked the PCI DSS Guru about the use of VLANs in a PCI DSS cardholder data environment. Here’s his question:

Are network switches in the Cardholder Data Environment in scope for PCI DSS? We are having trouble with this one. We have a vlan that run campus wide that transmits card data back to our servers. Are all the switches that carry this vlan in scope? If so how can we test changes to this network. We can’t afford another network infrustructure just for PCI. Any guidance you can provide would be great. Also, keep up the good work with your site. Its very helpful to newbs like me.

That’s a great question, David, and it’s the subject of a lot of debate within the PCI DSS community.

Virtual LANs (VLANs)

First, a little background on the technology David references. Virtual LANs, or VLANs, are a networking technology that allows you to span broadcast domains across multiple switches. Basically, you can make it appear to hosts as if they are on the same local network when they are actually geographically separate. In addition, you prevent hosts connected to the same switch, but placed on a different VLAN, from observing the traffic associated with hosts on that VLAN.

VLANs provide some security protection against eavesdropping, but an entire class of attacks, known as VLAN hopping attacks exist that allow an intruder to skip from one VLAN to another. The key idea to remember is that VLANs are intended to isolate hosts, but not to provide security protection.

VLANs and PCI DSS Compliance

Many organizations are tempted to use VLANs to reduce the scope of their cardholder data environment because they’re easy to implement and don’t require the purchase of any additional gear. Furthermore, the standard itself is quite vague on this issue and leaves much discretion to the QSA. Here’s what PCI DSS says about the matter:

If network segmentation is in place and being used to reduce the scope of the PCI DSS assessment, the assessor must verify that the segmentation is adequate to reduce the scope of the assessment. At a high level, adequate network segmentation isolates systems that store, process, or transmit cardholder data from those that do not. However, the adequacy of a specific implementation of network segmentation is highly variable and dependent upon a number of factors, such as a given network’s configuration, the technologies deployed, and other controls that may be implemented.

Most QSAs that I know interpret this to mean that the use of VLANs alone is not an acceptable way to segment your cardholder data environment from your public networks. At a minimum, you will need to place a firewall to control traffic between the VLANs. The bottom line is that you should tread very carefully here. If you’re going to try to use VLANs as a security control, your switch fabric will definitely fall in scope for PCI DSS compliance. You should not attempt to do this without first obtaining a written opinion from your QSA.

Encryption Instead of VLANs?

One common practice we’ve seen is to use encryption as a substitute. As you may be aware, the standard does allow the use of strong encryption to transmit cardholder data across an open, public network. In the cases where you have card processing devices geographically distant from your servers, why not treat the intervening network as an open, public network?

A great way to do this is to purchase inexpensive firewall devices and place them in front of your card processing systems. You can then use those devices to establish a VPN connection back to your data center. Both firewalls (and everything behind them) are then in scope for PCI DSS compliance, but the network in between is not.

VLANs and Wireless Networks

It’s important to make a specific note about VLANs, PCI DSS compliance and wireless networks, because the PCI Security Standards Council takes care to highlight the added risk of wireless networks. Specifically, they say:

Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place.

So, if you’re deploying a wireless network, make sure to pay added attention to the security controls segmenting your cardholder environment from your public networks.