Category Archives: Wireless LAN Security

PCI DSS Compliance Overview

1.   PCI DSS Brief

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to ensure that ALL companies that accept, process, store or transmit credit card information maintain a secure environment.

2.  PCI Compliance applicability

The PCI DSS applies to ANY organization, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

In-scope cards include any debit, credit, and pre-paid cards branded with one of the five card association/brand logos that participate in the PCI SSC – American Express, Discover, JCB, MasterCard, and Visa International.

An organization is required to be PCI compliant in either of the below two situations:

  1. All business that store, process or transmit payment cardholder data
  2. All business that even just process or transmit payment cardholder data

PCI DSS is also applicable to the Business that accepts credit cards over phone since they comes under the above classification. https://www.pcicomplianceguide.org/how-does-taking-credit-cards-by-phone-work-with-pci/

3.  Auditing of PCI Compliance and Vulnerability Scans

PCI DSS compliance is generally audited by PCI SSC Approved Scanning Vendor (ASV).

A vulnerability scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. As provided by an Approved Scanning Vendors (ASV’s) such as ControlScan, the scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.

3.1 Approved Scanning Vendors (ASVs)

Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain DSS requirements by performing vulnerability scans of Internet-facing environments of merchants and service providers.

As a company, ControlScan revalidates with the PCI Security Standard Council every year, and our ASV employees requalify annually, too. This means that we’re up to date on the very latest vulnerabilities. We’re also experts in scanning your Internet-facing environment and working with you to resolve any issues and achieve PCI compliance.

3.2 Frequency of validations for PCI Compliance

PCI compliance requires businesses to submit quarterly passing network scans by a PCI SSC Approved Scanning Vendor (ASV) such as ControlScan for each of their location.

4 Significance of SSL Certificate in PCI compliance

4.1 SSL

SSL (Secure Sockets Layer) is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems, preventing eavesdroppers from reading and manipulating any information transferred, including potential personal details. The two systems can be a server and a client (for example, a shopping website and browser) or server to server (for example, an application with personal identifiable information or with payroll information). SSL uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. 

4.2 TLS

TLS is more efficient and secure than SSL as it has stronger message authentication, key-material generation and other encryption algorithms. For example, TLS supports pre-shared keys, secure remote passwords, elliptical-curve keys and Kerberos whereas SSL does not.  TLS and SSL are not interoperable, but TLS does offer backward compatibility for older devices still using SSL.

The TLS protocol specification defines two layers. The TLS record protocol provides connection security, and the TLS handshake protocol enables the client and server to authenticate each other and to negotiate security keys before any data is transmitted.

The TLS handshake is a multi-step process.  A basic TLS handshake involves the client and server sending “hello” messages, and the exchange of keys, cipher message and a finish message. The multi-step process is what makes TLS flexible enough to use in different applications because the format and order of exchange can be modified.

4.3 SSL Certificate

To create this secure connection, an SSL certificate (also referred to as a “digital certificate”) is installed on a web server and serves two functions:

  • It authenticates the identity of the website (this guarantees visitors that they’re not on a bogus site)
  • It encrypts the data that’s being transmitted
  • SSL certificates are issued by Certificate Authorities (CAs), organizations that are trusted to verify the identity and legitimacy of any entity requesting a certificate.
  • The CA’s role is to accept certificate applications, authenticate applications, issue certificates, and maintain status information on certificates issued.

Even though a SSL Certificate facilitates for TLS but still while buying SSL you will notice that it is referred to as an SSL certificate. This is primarily for the reason that the SSL is the most commonly term used.

4.4 HTTPS

HTTPS (Hyper Text Transfer Protocol Secure) appears in the URL when a website is secured by an SSL certificate. The details of the certificate, including the issuing authority and the corporate name of the website owner, can be viewed by clicking on the lock symbol on the browser bar.

4.5 Compliance to PCI while using the SSL certificate

A system cannot be considered as PCI compliant for using SSL certificates as mere usage of SSL certificate alone won’t guarantee for securing a web server from malicious attacks or intrusions.

SSL and early TLS should not be used as a security control to meet the PCI requirement.

High assurance SSL certificates provide the first tier of customer security and reassurance such as the below, but there are other steps to achieve PCI compliance. 

  • A secure connection between the customer’s browser and the web server
  • Validation that the website operators are a legitimate, legally accountable organization

Sources, References and Important Links

https://www.pcicomplianceguide.org
https://www.websecurity.symantec.com
https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-7/b_cisco_pci_dss_3_2_wireless_security_compliance_supplemental_document.html
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Compliance/Compliance_DIG/Compliance_DIG.pdf

Please follow and like us:

Converting Cisco Lightweight Access Point to Mobility Express

Cisco Mobility Express Introduction

Mobility Express Capability is exhibited only by Wave 2 Access points from Cisco. These are primarily called as COS APs.

The predecessor of COS APs were the IOS APs which can support only the Autonomous AP capability. Though both Autonomous and ME APs do not require an AP license and the controller, however ME APs are more advantagous in a sense that the ME AP attains the role of a controller (referred as master AP) and can terminate upto 100 APs (referred to as sub-ordinate APs) while the autonomous AP just act as a single independent AP with no posibility of co-ordination with other APs in the network.

(Similar concept exists in Aruba for the APs exhibiting controller capability and they refer it as IAP. Every model of Aruba AP comes in two forms, either Aruba AP or Aruba Instant AP. When ordered as Aruba Instant AP, it can be converted back to normal AP but when ordered as Aruba AP, it cannot be converted back to Aruba Instant AP. Thus care should be taken while placing the order )

Pre-requisites

Cisco Wave 2 Access Point

Laptop / PC with ethernet interface

Configuring the Windows Network Adaptor to connect on to the ME AP

  • Go to Network & Internet Settings
  • Click on “Change adapter options”
  • Click on “Ethernet adaptor” which is connected to the Access Point’s Ethernet port

(In my case it is the 5G Port of 4800 Access Point)

  • Assign an IPV4 address on your PC / Laptop

Determining the Com Port In use by Console Cable

  • Connect the console to the AP and determine the corresponding COM port

Devmgmt.msc à Ports (COM & LPT) will list the USB serial port in use

Configuring the AP for Conversion to Mobility Express

  • (Optional) If AP has previously existing configuration delete it (capwap ap erase all)
  • Login into the AP and assign a static IP address

Syntax: capwap ap ip <ap ip> <mask> <gateway>

capwap ap ip 192.168.1.11 255.255.255.0 192.168.1.10

In this example we are assigning the AP an IP of 192.168.1.11

  • Verify the AP’s wired 0 interface has taken up the configured IP addresses

Since the AP has two Ethernet interfaces, two wired interfaces could be found listed viz: wired0 & wired1

  • Open the TFTP application and give the ME image path
  • Supply in the command in AP cli to download the ME image

Syntax: ap-type mobility-express tftp://<tftp IP address>/<ME AP image>.tar

 ap-type mobility-express tftp://192.168.1.10/AIR-AP4800-K9-ME-8-8-120-0.tar

  • Once the image is copied, reload the AP
  • Once the AP comes up after manual reload, wait for couple of minutes
  •  After couple of minutes, it will again go a second subsequent reload on its own and comes up as ME Controller
  • Configure the AP via the installation wizard
  • ME Controller comes up after reloading with initial configuration

Configuring the internal DHCP for the ME express

  1. The internal AP inside the ME will not come up until:
  2. The ME is connected to a switch and it obtains the DHCP IP from it
  3. Or an internal DHCP server is configured.

      Since for RF coverage testing scenarios (AP on a stick), we won’t be having the AP connected on to the switch, lets first connect the ME on a switch to let it obtain a DHCP and have its internal AP up and running.

  • Login into the ME

`

  • Configure the DHCP Server
  • Configure the internal DHCP server

Please follow and like us: