Wednesday, April 13, 2016

Most successful people I have known in the past have shared a common characteristic - that is the willingness to accomplish a set task with 'available' resources rather than buying a ready-to-use customized easy-to-use box-packed kit. Though this approach makes a task complex, time-consuming and more effort requiring but saves the most crucial factor: resources in most cases. There are various fields wherein people take this approach & I'm going to attempt this with PCI 3.0 & DLP today.

The PCI 3.0 Standards touches the lives of hundreds of millions of people worldwide (as stated by the Security Standards Council themselves). A global organization, it maintains, evolves and promotes Payment Card Industry standards for the safety of cardholder data across the globe. There are numerous drawbacks of not being PCI compliant which includes, but not limited to brand degradation, reduced customer base, loss of Competitive advantage and more.
The PCI 3.0 is such Standard where there is no definite path to achieve compliance. This Standard to me, is an open framework NOT implemented with a pre-planned agenda (crafted skillfully) to benefit a few chosen vendors with its roll-out. A Data Loss Prevention (DLP) tool I feel could play a key role if architect-ed to its potential. Though I am yet to experience such efficient use of the DLP tool itself specific in the PCI compliance domain, but I'm sure many DLP experts are already thinking about it, during this evolving PCI phase.
The below are some PCI DSS requirements which I feel DLP can meet effectively. To me these are certainly the ones wherein DLP could play a lead role in achieving compliance but I'm sure with further thoughtful use of the DLP solution we could meet more requirements than the list below.
  • 4.2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat, etc.).
    [DLP Feature]: Create Regex for PANs and Block using DLP
  • 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks,
    [DLP Feature]: Set all traffic to Block Mode except the above protocols when PCI data is identified using PCI data identifiers.
  • 3.2 Do not store sensitive authentication data after authorization (even if encrypted). If sensitive authentication data is received, render all data unrecoverable upon completion of the authorization process.
    [DLP Feature]: DLP Discover scan, all using Network Discover (with agent & agentless) and Endpoint Discover can scan and quarantine/notify PCI Data
  • 3.2.1 Do not store the full contents of any track (from the magnetic stripe located on the back of a card, equivalent data contained on a chip, or elsewhere).
    [DLP Feature]: There are pre-existent templates in most DLP tools to detect PCI data captured using a "magnetic-stripe" in specific which could be useful
  • 3.2.2 Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.
    [DLP Feature]: DLP Discover scan, all using Network Discover (with agent & agentless) and Endpoint Discover can scan and quarantine/notify PCI Data
  • 3.2.3 Do not store the personal identification number (PIN) or the encrypted PIN block.
    [DLP Feature]: DLP Discover scan, all using Network Discover (with agent & agentless) and Endpoint Discover can scan and quarantine/notify PCI Data
In the above requirement list, a DLP solution based control can directly lead-from-the-front however below are few more; wherein I feel DLP could play a crucial part or even possibly act as a secondary, compensatory or even a validating control:
  • 3.3 Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed), such that only personnel with a legitimate business need can see the full PAN.
    [DLP Feature]: Use Flag for encryption response created in sync with your gateway encryption solution OR use Endpoint Flex response to trigger custom script based encryption
  • 3.4 Render PAN unreadable anywhere it is stored (including on portable digital media, backup media, and in logs) by using any of the following approaches:
    [DLP Feature]: Use Flag for encryption response created in sync with your gateway encryption solution OR use Endpoint Flex response to trigger custom script based encryption
  • 3.5.1 Restrict access to cryptographic keys to the fewest number of custodians necessary.
    [DLP Feature]: Monitor Permissions using Discover scans on all files with a cryptographic extension.
  • 1.2.1 Restrict inbound and outbound traffic to that which is necessary for the cardholder data environment, and specifically deny all other traffic.
    [DLP Feature]: Web and SMPT Prevent functionality to be implemented along with Block Policies when PCI data is detected
  • 1.3.5 Do not allow unauthorized outbound traffic from the cardholder data environment to the Internet.
    [DLP Feature]: Block Web and SMTP data when attempted to be sent or uploaded to an external domain/location/IP
  • 2.2.3 Implement additional security features for any required services, protocols, or daemons that are considered to be insecure—for example, use secured technologies such as SSH, S-FTP, SSL, or IPsec VPN to protect insecure services such as NetBIOS, file-sharing, Telnet, FTP, etc.
    [DLP Feature]: Web and SMPT Prevent functionality to be implemented along with Block Policies when PCI data is detected
  • 2.2.5 Remove all unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and unnecessary web servers.
    [DLP Feature]: Extension based DLP Policies
  • 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.
    [DLP Feature]: Use Flag for encryption response created in sync with your gateway encryption solution OR use Endpoint Flex response to trigger custom script based encryption
  • 7.1 Limit access to system components and cardholder data to only those individuals whose job requires such access.
    [DLP Feature]: Review Permissions using Discover Scan, might as well use Data Insight Functionality
PCI 3.0 is fairly new (if I may say that for Nov'13) and best practices around the same are not part of a standard stream yet; given the diversity and vastness it covers. It would be great to hear more from others carving their way out through this complex assignment in the comments section.

Thursday, December 16, 2010

Setting up a Test Environment for Mail Servers (sending and receiving emails – Internal (LAN) to External (WAN) and vice versa)

 

This time I am going to write about the procedure on setting up a Test Environment for understanding Mail Servers (sending and receiving emails- Internal to External and vice versa)

 

Here, in my case I first installed VMWARE ESXi server on my Server which has 8 GB RAM

 

Then deployed 3 virtual machines (VMs) with the Operating System as Windows Server 2003 SP2

 

Let me first explain why three VMs/Systems:

  1. Domain Controller and Exchange Server (Internal)
  2. RRAS (used for LAN Routing)
  3. Domain Controller and Exchange Server (External)

 

Setup a Static IP Address with a Completely Different Subnet for the Two Servers. For example setup 192.168.1.30 for one server and setup 192.168.20.30 for another server

 

Install and Configure DNS on both the identified Systems

 

Install and Configure Active Directory on both the identified Systems making it a completely new Domain Controllers (DCs) in a completely new forest for each one

 

Make sure that both the DCs are completely different domains in completely different forest

 

For Example: myhome.abc and company.abc

 

Prepare the server for Exchange Installation by running “forestprep” and “domainprep”

 

Once successful, install Exchange Server on both the identified Systems

 

Then go to the DNS Server snap-in and Configure both the DNS server to use each other as forwarders

 

For Example if we assume the two Server with the IP Address as:

  1. 192.168.1.30
  2. 192.168.20.30

Then we need to configure DNS Server 192.168.1.30 as a DNS forwarder for the server 192.168.20.30 and vice versa

 

 

To configure a DNS server to use forwarders

  • Open the DNS snap-in.
  • In the console tree, click the applicable Domain Name System (DNS) server.
    Where?
    • DNS/applicable DNS server
  • On the Action menu, click Properties.
  • On the Forwarders tab, click Edit.
  • Type the IP address for the fully qualified domain name (FQDN) of a forwarder, and then click OK.
  •  

    Once the DNS forwarding is completed, verify by sending an email to any user in the other Domain from the Existing one

    For Example: Sending an Email from the Domain myhome.abc to company.abc which are two completely different domains in completely different forest working on different subnets connected via a router

     

    Mail Sent Successfully isn't it ?

     

    This setup can now be used to simulate a Internal Email to WAN and WAN to Internal Email, since we can assume and configure one of the Domains as Internal and the other on WAN connected via a Router which is RRAS in our case

     

     

    All the best and Let me know how it goes or incase if you need any inputs

     

     

    Thank you for reading :-)

    Wednesday, May 26, 2010

    Reverse Hosting

     

    Reverse hosting is similar to reverse proxying except that in addition to protecting the servers sitting behind it, it also keeps a list of those servers on the network that are permitted to publish to the Internet. The proxy server listens for requests from those servers and responds for them, thus protecting them from unwanted visitors. The proxy server hides all internal
    servers.

     

    When configuring reverse hosting, ensure that all incoming Web requests will be discarded by default. This is done through the properties pages of the Web Proxy service under the Publishing tab. Mappings will be added that provide paths to the servers “downstream” or behind the proxy server, and these mappings will connect virtual paths that belong to the proxy server to the actual path of the Web server. Again, for the protection of the internal servers on the network, proxy is the gatekeeper so to speak, inspecting what comes in or goes out, and making sure that its internal network is safe.

     

    .