How to be PCI 2.0 Compliants - tools?

azn2kew · ‎04-19-2012

All,

I've been looking at multiple solutions and vendors and sounds like expensive to get PCI 2.0 compliant on virtualization, so I would like to get your opinions on those involved/designed/ their PCI 2.0 environment for virtualization.

1. What kind of tools did you implemented to fully compliant?

2. What are the tools that can be alternate (replace for cheaper price and does the trick)

3. What is your issues during implementation so we can avoid if possible.

The products we've been reviewing:

1. VMware vShield Suites - firewall

2. VMware vCM - configuration management

3. HyTrust - RBAC

4. Tripwire - multiple modules/usage

These are very expensive to implement especially vShield/vCM licensing, so I want to know if we hav any good alternatives that validate PCI 2.0 compliance?

1. Can we use Lumension Patchlink & Tripwire in combination?

2. Can we use pfsense, vyatta or other virtual firewall appliances to replace vShield?

What is the best way going forward, if anyone has real experience with PCI 2.0 please provide feedback as well as other members here can learn and shed some lights from your experience.

Once again, thanks for reading and looking for good feedback.

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

admin · ‎04-26-2012

I have customers that have achieved compliance in a mixed-trust scenario with ESX 3.5 and doing their network segementation up stream with physical devices and just managing their hosts and vCenter diligently for Role/Privilege separation and logging/auditing. You likely do not need to purchase new stuff to achieve compliance. This is a conversation you need to have with your QSA.

The beneift however is the ability to automate or have less day to day management of the infrastructure to stay in compliance. That is where many of the tools you mention become a huge benefit. That part becomes a ROI/TCO discussion of the risk and operational issues vs the cost in a benefit analysis.

Many of those vendors you mention are typically involved in the stacks I help customers build. I would also include a vShield Endpoint partner as well to provide agentless Anti-Virus and various other security functions.

azn2kew · ‎04-26-2012

Thanks for the feedback, I have been telling my management that we don't have to actually need these types of products and diligently perform RBAC with vCenter as well as segmentation on physical layer or some other virtual appliance like Vyatta, pfSense not sure if these virtual appliance qualify for it. But I don't believe it's required to have HyTrust for compliancy purpose, but manually mitigate though. I'm still researching and apparently our QSA aren't qualify with virtualization background so requested different QSA!

How can i contact you offline for little chat or understands more details on the solutions?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

azn2kew · ‎04-26-2012

I currently using Trend Micro but those agents deployed to all virtual machines, we're not using vShield Endpoint vendor, is that a requirements to use vShield Endpoint vendor instead of regular AV agents centrally managed already?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

Techstarts · ‎04-26-2012

Stefan Nguyen wrote:
I currently using Trend Micro but those agents deployed to all virtual machines, we're not using vShield Endpoint vendor, is that a requirements to use vShield Endpoint vendor instead of regular AV agents centrally managed already?

Yes that is true, Endpoint exposes the API which VMware's partner e.g. trend micro, McAfee uses to write their appliance.

currently I know only Trend Micro Deep Security Manager and McAfee (MOVE).

With Great Regards,

azn2kew · ‎04-26-2012

Holy smokes, so i'm required to license the vShield Endpoint to be in compliant? Can you definitely confirm that? We thought using existing AV agents solution would covers that but apparently not as you mentioned, can somone from VMware PCI team confirm this please its critical piece!

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

Techstarts · ‎04-26-2012

Stefan Nguyen wrote:
Holy smokes, so i'm required to license the vShield Endpoint to be in compliant? Can you definitely confirm that? We thought using existing AV agents solution would covers that but apparently not as you mentioned, can somone from VMware PCI team confirm this please its critical piece!

Hi Stefan,

Let me try to explain you (hope we both are on same page) , in virtualization everything changes. VMware is exposing it's API to it's anti-virus partner. Anti-Virus partner creates a appliance which keeps scanning disks of all virtual machine remotely. It is this appliance which acts a single agent for all Virtual machines and act as anti-virus agent/ anti-malware agent.. In virtual world using vshield endpoint you do not have to deploy any agent on Virtual machine. Therefore you existing AV agent has no role to play unless you want to deploy them on Virtual machine.

Hope it is clear now.

With Great Regards,

azn2kew · ‎04-26-2012

I realized the Endpoint does offload scanning on AV/malwares, so its optional if we want to keep existing AV agents infrastructure, unless we decided to use Endpoint and disable AV agents from the virtual machines? So technically, its an optional path?

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!! Regards, Stefan Nguyen VMware vExpert 2009 iGeek Systems Inc. VMware vExpert, VCP 3 & 4, VSP, VTSP, CCA, CCEA, CCNA, MCSA, EMCSE, EMCISA

Techstarts · ‎04-26-2012

yes you are right . But then why install endpoint in first place.

With Great Regards,

danx1000 · ‎05-15-2012

No, you don't need to use Trend or any vShield Endpoint product to be compliant. The APIs simply allow for a more elegant approach to virus scanning - one security VM can scan the files in all the VMs instead of installing an AV client in each VM. This is actually only partial protection - since most antivirus products do more then just scan files for viruses - they look at system changes, look at behaviors of programs as they execute, firewall, intrusion prevention . . . . - none of which can be done through the APIs. So if you want real malware protection, you still need to install something in each VM.

PCI compliance requires use of av, but it doesn't specify the implimentation. The guidelines are also vague on firewalls and trust zones.

You could look for more info here: http://pciguru.wordpress.com

or here: http://www.vyatta.com/sites/vyatta.com/files/pdfs/whitepapers/vyatta_PCI_virtualization.pdf

Josh26 · ‎05-15-2012

Stefan Nguyen wrote:
Holy smokes, so i'm required to license the vShield Endpoint to be in compliant? Can you definitely confirm that? We thought using existing AV agents solution would covers that but apparently not as you mentioned, can somone from VMware PCI team confirm this please its critical piece!

Just to reiterate what has been said here.

There is NO commercial product that is mandatory to be PCI compliant, except for an approved vulnerability scanner to be run at certain intervals.

PCI makes requirements around managing several areas of risks, these include managing viruses and managing unwanted web traffic. This implies some sort of firewall and antivirus, but it's up to you to demonstrate that you have implemented some form of mitigation - if you are ever told a certain product is required to meet PCI I would seek an alternate consultant.