PCI-DSS: Virtualization segmentation in ESXi environment
I have already asked this question over on Information Security but so far it has not garnered any comments. I am thinking perhaps it is more of a server infrastructure and configuration question, rather than a security question per se.
Therefore I will try to be brief:
We are PCI-DSS 2.0 compliant. PCI-DSS has the concept of in-scope and out-of-scope systems/processes/data/infrastructure etc. In-scope is under scrutiny during PCI-DSS audits, out-of-scope are considered untrusted and firewalled network segments should separate the two scopes.
Therefore it is considered a no-no if you try to mix in-scope and out-of-scope systems yet in this world of VMs the PCI-DSS council released guidelines specifically regarding mixing scopes in the virtual environment. They state that:
The level of segmentation required for in-scope and out-of-scope systems on the same host must be equivalent to a level of isolation achievable in the physical world; that is, segmentation must ensure that out-of-scope workloads or components cannot be used to access an in-scope component. Unlike separate physical systems, network-based segmentation alone cannot isolate in-scope from out-of-scope components in a virtual environment.
Therefore my question is, is it possible to segment VMs running on ESXi 5.5 such that the segmentation satisfies the criteria outlined in the guidelines above?
The guidlines are very prescriptive, indeed they go on to say:
Segmentation of virtual components must also be applied to all virtual communication mechanisms, including the hypervisor and underlying host, as well as any other common or shared component. In virtual environments, out-of-band communications can occur, often via a solution-specific communication mechanism, or through the use of shared resources such as file systems, processors, volatile and non-volatile memory, device drivers, hardware devices, APIs, and so on.
Methods I have thought of:
- Use different physical network adapters
- Use different physical datastores
But other areas I am stuck on include how to segment processors, RAM etc.
If you are interested the complete PCI-DSS virtualisation guidelines are here.
Thanks for reading.
Update 21/11/2014: This doc here has been passed on to me, I will read and digest. It looks like a useful title: 'PCI-DSS Compliance and VMWare'.
Solution 1:
I've also seen the document you linked in your question. Unfortunately, it breaks down when VMware starts to push their vCloud design and security modules.
Can you tell us about your vSphere environment? Specifically, I'd like to understand the license tier and high level design of your vSphere infrastructure (e.g. 3-host cluster running vSphere Essentials Plus and an iSCSI SAN) This information will help guide to the right solution.
Generically, I can say:
- VLANs aren't enough for network segmentation. If you're trunking ports back to a switch, you really want to trunk that to a VLAN-aware firewall. You'll need firewalling between the vSphere portgroups/VLANs.
- This can be accomplish with vSphere's firewalling product, depending on your license.
- vSwitch uplinks can be linked to discrete network zones or controlled with a firewall as above.
- The datastores can be separate, but don't necessarily need separate hardware. Multiple LUNs or NFS mounts have been satisfactory in my experience.
- How are you handling physical security?
- Is your vCenter linked to Active Directory? Can you apply two-factor authentication to your AD logons?
- The ESXi hypervisor has not been a problem in audits. Make sure you have vSphere Update Manager and an established patching schedule to deal with the fixes for CVE vulnerabilities.
- If you need to guarantee a certain type of performance or certain RAM/CPU allocations, you can establish vSphere Resource Pools.
- Further separation can leverage vSphere DRS and affinity/anti-affinity rules, if your license supports it (e.g. make sure production DB is always on a different host than development DB or always keep these components of the application stack together).