Network segments play a crucial role for organizations, especially in the security context. Organizations can effectively implement network segmentation to confine sensitive areas and limit access to authorized personnel by categorizing devices, communication lines, and individuals based on their relationship to data. PCI DSS refers to network segmentation as isolating systems and components that store, process, or transmit cardholder data from the rest of the network.
The PCI DSS emphasizes the importance of network segmentation as a fundamental security measure to protect cardholder data. It aims to ensure that systems handling sensitive information are isolated from non-essential systems, thereby reducing the risk of unauthorized access and potential security breaches. PCI DSS Requirement 11.3.4 states;
“If segmentation is used to isolate the CDE from other networks, perform penetration tests at least annually and after any changes to segmentation controls/methods to verify that the segmentation methods are operational and effective, and isolate all out-of-scope systems from systems in the CDE.”
So, how to conduct a segmentation test is a new-era problem for penetration testers, especially those new to PCI DSS. At this point, PCI DSS Scoping and Segmentation Guidance comes up and gives as a clue on the segmentation test methodology.
“Penetration testing is an important tool to confirm that any segmentation in place to isolate the CDE from other networks is effective. The penetration testing should focus on the segmentation controls, both from outside the entity’s network and from inside the network but outside of the CDE, to confirm that they are not able to get through the segmentation controls to access the CDE. For example, network testing and/or scanning for open ports, to verify no connectivity between in-scope and out-of-scope networks.”
As the guidance says, it is clear that there is no separate segmentation test. Segmentation testing is a penetration testing process, so any tool such as Metasploit or Nmap can be used.
Terms to understand segmentation testing
The guidance also mentions the segmentation test should be performed to check if the CDE is isolated properly. That means the CDE vlans should not be reachable from other vlans. It is important to understand some of the terms before conducting a segmentation test regarding the clues that PCI DSS guidance provides.
CDE in-scope: The VLANs categorized as CDE in-scope are those responsible for storing, processing, and transmitting cardholder data. These VLANs must be completely isolated from external networks and maintain a high security level for each host within the CDE in-scope.
Non-CDE in-scope: VLANs that do not directly handle cardholder data but have dependencies on CDE in-scope VLANs. While CDE in-scope VLANs must remain isolated from external networks, non-CDE in-scope VLANs offer essential services and external resources to support CDE in-scope operations. CDE in-scope VLANs have specific dependencies that non-CDE in-scope VLANs must fulfill. For example, patch servers within the non-CDE in-scope provide updates and patches to hosts within the CDE in-scope, while the antivirus server delivers antivirus solutions to CDE in-scope systems.
Non-CDE out-of-scope: VLANs that neither handle cardholder data nor have any dependencies on CDE in-scope VLANs. They are strictly prohibited from communicating with CDE in-scope VLANs under any circumstances.
Segmentation testing methods
It’s recommended to conduct scans of each host within a PCI in-scope segment, including all 65535 ports for both TCP and UDP protocols, from a PCI out-of-scope perspective. Initiating scans in batches is considered a best practice as it enhances efficiency and allows for more frequent result updates. It’s advisable to perform scans both from PCI in-scope to PCI out-of-scope and vice versa to ensure comprehensive coverage.
We can use Nmap to check if we can interact with any entities in CDE vlans. You use the following command to check all TCP and UDP ports:
sudo nmap -sT -sU -sV -T4 -v -Pn -p - -oX segment.xml 10.10.10.0/24
Follow the same step for each CDE from each vlan. This way we can be sure that CDE vlans cannot be reached from other vlans.
It is also highly recommended to check the firewall rulesets to understand which IP address can be reached from Non-CDE in scope vlans. If you reach to any IP from any port other than mentioned in the rulesets, you shoud report it to the network administrator to fix the issue.
You can also use the firewalk tool as an additional assessment method. Firewalk is a tool used in active network reconnaissance to identify the layer 4 protocols permitted by an IP forwarding device. It aids in evaluating the security setup of packet filtering devices, commonly found in firewall systems. Firewalk is particularly useful for conducting network security assessments, including penetration tests.