Ive been tasked to make our company PCI DSS compliant and we've been trying to figure out a way to make it possible. Its actually kind of frustrating due to the ambiguous nature of how PCI is written . Either way, here is my setup, we have two web servers that take CC data (as soon as CC# is entered fully it is encrypted live), a DB, your usual slew of windows servers (AD, WSUS) and ESXi Server. We are a call center and our agents use those web servers internally to work but clients use them externally to check stats and other reports. So how do i make it possible to cut off sensitive servers (DB, AD) from what should be external servers (web server A, B and SFTP server) and LAN? Easy right, we have a Sonicwall FW NSA2400 that works wonderfully. Though that still does not solve the problem as to how the web servers will communicate with the DB server. Each one is in its own zone (Z1 - DB, Z2-Web,SFTP, Z3-LAN). Seems like its done right, well, now someone has introduced the idea of a Jump server, there does not seem to be much research done on this kind of server and was wondering if anyone had any experience on it. As far as i am concerned, my above scenario pretty much covers us (don't get me started on VOIP and securing the line as its CC data being transferred over the net) and adding another server just opens up more attack surface. I am also open to any thoughts or suggestions or any kind of experience any of you might have faced.
Hmm, the product we use is set up in a similar fashion, however it also supplies a Application server which facilitates communication with the DB server. It is set up with the web server exposed, a firewall, followed by the application server, followed by a firewall, and then the DB server. All calls are made through the app server to the database server. I am assuming the jump server is acting as the application server in my scenario.
I've architected and project managed a PCI-DSS for a financial services company and feel your pain.
There is a interpreting the PCI-DSS document to help with the ambiguity, but the idea is you take the menaing and fit it to your busines and how they work.
I honestly can't see the point of the Jump Server, it just seems to be bipassing the firewall and doing half it's job (I could be readin it wrong). I'd suggest a well configured firewall that is used to place your externally accesed hardened servers in a DMZ with only the required ports open to those inside the firewall would be more than adequate. You could even go to the next level by firewalling each server off on it's own subnet\vlan and utlising firewall rules to control all traffic between all servers.
This would not only minmise the surface area in total but also between servers and make it that much harder to compromise the entire network from a single compromised server.
Also reducing the scope of the CC network down (does email need to be included if it sin't used to transfer CC info) would make things simpler. that being said you would also have to ensure a ESX host is only used in one part of the network.
I begining to agree with you on the uselessness of the server. I agree with you on just properly zoning the firewall. Email is not used to transfer CC data big nono But what do you mean "ensure a ESX host is only used in one part of the network"? Do you mean host administration IP range or VMs? By the way, thanks for the quick response!
That has been discussed as well, though i would like to keep our developers from leaving once they learn they have to rewrite the software haha. It seems like the Jump Server is trying to be a Proxy, Firewall and an Application server all at once hehe
About the ESX server, in order to show seperation of the networks it would be very difficult to just do this logically with an ESX server hosting both CC network systems and non CC systems. You would have to have a number fo controls in place around areas such as backup, access, networks to achieve the speration of networks.
It's simpler to just reduce the scope by using a physically different host for systems in the CC network. We did this in order to achive complaince and to rmeove the produciton DB server from the development DB server. Both ESX clusters were managed sperately the only commonaility was the network where acheiving seperation was a much simpler process.
But as stated this can be acheived by interpreting the PCI-DSS and applying controls relevant to your business. We just had issues in this area and the cost\simplicity was acheived by seperate clusters for the VM's.
Thanks for the info guys, it looks like the ambiguous nature of a "jump server" has led it to no be implemented in our network (thank goodness. Thanks for all the info fellas. Now on to moving from Televantage to Shortell!