PCI Standard or Not, Encrypting Internal PCI Network Traffic is a Good Thing

Internal networks are notoriously insecure so why wouldn’t you encrypt PCI data end to end? What makes an Internal Network somehow so inherently secure that encryption is not needed? I would contend that even the idea of an Internal Network is inconsistent with today’s network architectures. Companies have moved to ubiquitous access, perimeter-less networks, rendering the concept of an Internal Network inappropriate. Much debate has been had over internal Network encryption, especially as it pertains to the PCI standard. The PCI standard doesn’t mandate that you encrypt internal network traffic, only that you encrypt cardholder data at rest and over public networks. That seems a bit odd doesn’t it? From this you can extrapolate that internal networks are considered more secure than internal servers or storage. I take issue with that hypothesis, as should you.

Internal network security in the vast majority of companies, both large and small, is virtually nonexistent. We take great pains to harden our perimeters but almost nothing is done to harden internal networks. Given that today is the age of perimeter-less networks, how can we be confident that we have secured each and every perimeter to begin with. How do you know if someone puts a rouge DSL line into some branch office across the world. How about rogue wireless AP’s connecting to your network.

Every legitimate business takes great pains to make sure they are updating their operating systems and programs with the latest security patches. Since they present the most likely attack vector for intruders updating is done in a controlled, judicious and diligent manner. Can you say the same about the updating of your network infrastructure (switches, routers, firewalls, wireless, etc.)? Sure these devices don’t present as sexy of a target as operating systems but a savvy attacker can exploit network weaknesses to their advantage and profit. Network infrastructure security updates should be treated with the same due diligence that you apply to OS and application updates.

Perhaps even more uncontrolled is the wired LAN. Think about your internal wired LAN security. Do you have any security controls in place? Could I walk into your office and easily find a network jack to steal for a few minutes? Is there anything preventing me from connecting (like NAC or 802.1x)? How about if I hack one of your desktops, is their anything stopping me from capturing and recording your PCI sensitive network traffic? Wired LAN man-in-the-middle attack techniques have been known for years and years yet almost nobody protects themselves from them. Think about your access switch security, are you preventing ARP spoofing, IP source spoofing, rogue DHCP servers, or CAM table floods? If you said no to just one of those then you are wide open for anyone to capture your data via a Man-in-the-middle attack. Keep in mind I just listed the commonly known methods for LAN attacks; there are several other methods.

So, the point I’m building up to here is that chances are high that your internal networks are not very secure and so should be encrypted just like any public network. Ideally this encryption would be end-to-end, as in from card swipe machine all the way to final processing. Several card swipe vendors are beginning to offer SSL encryption in their terminals. Hopefully encrypting at the terminal will become the de-facto standard in the not too distant future.

Until you can replace all of your terminals with new ones implement encryption using existing or new gear wherever you can. In addition, you should implement the layer 2 security features you more than likely already have on your access switches. If you would like some best practice guidance for Cisco switch security check out http://www.cisco.com/go/safe .

Bottom line is everyone with confidential data to protect should enable encryption on all internal networks with access to that data. In addition, layer 2 security features should be enabled on the access switches carrying said data. Be sure to unencrypt your data streams before sending them to IPS, DLP, and other deep packet inspection devices. This is easy to say but in many cases harder to implement in practice. If you run into any issues feel free to post them here.

I realize this is a controversial topic for security geeks (like myself) but given recent PCI breaches that took advantage of the above weaknesses, I have to error on the side of security. Sure more security doesn’t always mean better security, but smarter security always equals better security, which I believe is the case here.
Before quoting Bruce Schneier’s position at me, I’m already familiar with it. But if you do have other ideas about why encrypting Internally is either a good idea or bad idea please post it.

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary:
* Credit Card Skimming: How thieves can steal your card info without you knowing it
* Cisco enters the crowded AV and DLP client market
*Cisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhere
* Cisco targets Symantec, McAfee with its new antivirus client
* Google's Chrome raises security concerns and tastes like chicken feet a>

Go to Jamey’s Blog for more articles on security.

• Cisco
• E-commerce
• Security
• Cisco Security
• credit card security
• Heary
• internal encryption
• internal security
• Jamey Heary
• PCI
• pci encryption
• PCI standard best practices
• security
• wired lan security