6

We have a small business office, but due to PCI compliance we need to segment this into two internet networks (one 'compliant' and one for any other devices to use).

We currently have a Draytek modem/wan load balancer which also has firewalling but this is very basic and doesn't support seperate security policies on each vlan.

As such, I have just purchased an ASA 5505 and would like some pointers to setting things up:

VLANS:

  1. Outside (draytek)
  2. InsidePci (our secure zone, contains a windows domain controler/dhcp/etc)
  3. Inside (just a regular network that just has internet access and no connection to vlan

My Questions:

  1. At the moment everything is on one subnet 192.168.2.x. The draytek has a static IP and everything else is allocated an IP from our Windows DHCP Server. As this windows server will be within the 'insidepci' network I was planning to have this vlan continue to use that, and the regular 'inside' network using DHCP from the ASA. Is that possible?

  2. Do I need to put the draytek on it's own subnet (so just the draytek is on say 192.168.3.x) as it seems I cant allocate an IP in the same range to two different VLANs.

  3. From looking at one of the online guides, it seems I would then need an internal router? I wasn't aware of this, I was hoping I could just assign one switch to the 'inside' VLAN and a seperate switch to the 'insidepci' vlan? There isn't a need to communicate between these VLANS but both need to be able to access 'outside' (draytek gateway)

Scott Pack
  • 14,907
  • 10
  • 53
  • 83
Ben
  • 101
  • 1
  • 7
  • You're right on all 3 accounts. The ASA is a router so you need separate subnets for all 3 networks. You will use the ASA as the default gateway for _inside_ and _insidepci_ so you don't need a separate router. – resmon6 Feb 29 '12 at 21:41

1 Answers1

2

When it comes to PCI compliance, the number one thing you want to do is find every way you can to limit your scope. You're already making good headway with your network segmentation by actually thinking about what systems are not involved and moving them somewhere else. In a perfect world, your PCI environment would be housed in a physically separate network, however that is not a requirement. The best way to conceptualize your segmentation is around the idea of a broadcast domain. There are actually a lot of different ways you can adequately get the necessary level of segmentation,

  • Placing your in-scope equipment on a separate subnet
  • Placing your in-scope equipment on a private VLAN in the same address space as out-of-scope
  • Installing a transparent firewall between in-scope and out-of-scope
  • etc

All that being said, you should be able to get away with using the 5505 as your primary isolation device, and hanging other switches off of it if you need additional ports. You just want to make sure that any traffic from the inside VLAN passes through the firewall module before entering the insidepci VLAN.

The PCI Security Standards Council has a document called Navigating the PCI DSS v2.0. I would highly recommend reading through it so you can better understand the intent of the requirements. That should help you frame the requirements properly for compliance.

Disclaimer: I am not a QSA, ASV, or ISA. Any advice I give is friendly and following it in no way implies compliance.

Scott Pack
  • 14,907
  • 10
  • 53
  • 83