Being a network engineer isn’t easy. Consider what they're responsible for on a day to day basis. Maintaining complex, multi-vendor network environments? Check. Maintaining these environments, triaging incidents when they arise to maintain connectivity for end users AND ensuring these environments are regularly checked to ensure compliance and accuracy? Check. All whilst having to make sure that the relevant operations teams receive the relevant information on time to prevent siloes from forming? Sigh… check. If only there was a way to make all this easier for engineers.
Like Centreon, we believe there is a solution - the integration of IT Infrastructure Monitoring with Network Assurance.
As outlined above, the work of a modern network engineer can often be a thankless and maddeningly difficult juggling act. There are simply too many network components that an engineer needs to keep an eye on.
Network monitoring solutions like Centreon aim to lighten the load on network engineers by continuously scanning the network to assess the performance of network resources, including hosts (any device with an IP address), and services (checkpoints and indicators on a host like CPU usage rate, temperature etc.)
After connecting with Centreon, the platform utilizes agentless SNMP (via API when connecting to cloud services) to:
By doing this, Centreon aims to improve how network teams can respond to issues, by giving them the means to proactively address them before they affect the wider network, both on-premises and in private and public cloud environments.
Network assurance is a perfect complement to network monitoring solutions and helps create more resilient networks, whilst also lightening the load on network engineers.
Whilst monitoring solutions aim at improving overall responsiveness, assurance focuses on the automated discovery, visualization and consolidation of network device and configuration inventories. These can be used to complement monitoring by providing the specific context that engineers need.
Here’s an example - An engineer receives an alert from their monitoring tool, and end-users begin complaining of network issues. With just a monitoring solution in place, the engineer will know that there’s an issue. But with assurance, they’ll be able to quantify the risk behind the issue and have network context needed to solve it faster.
Network Assurance by IP Fabric provides topological overviews (which can be viewed on specific OSI layers) of the network at points in time. Engineers can use this information to determine what the wider impact of the monitored issue will be, by examining data flow in the network and the relationship between specific devices, and therefore deduce what other hosts or services could be affected by said issue. Based on this, they can take the required action to prevent wider issues from occurring.
Here are a few more key scenarios which highlight how the integration of assurance and monitoring makes an engineer's life easier:
Need to add or remove devices from the network? IP Fabric instantly discovers these devices (regardless of vendor due to IP Fabric’s multi-vendor capabilities). This means that monitoring platforms remain up to date with the most recent network state and inventory, without having to update anything manually.
There’s a network audit coming up soon. Monitoring provides all of the information needed to improve network performance. But what if some of the devices are incorrectly configured, which could lead to a possible data security issue? With assurance, state data from devices is included in collected information, meaning that misconfigurations will be highlighted. Based on what is found, remedial action can be taken to address this, or standard configurations can be pushed to required devices to ensure compliance and reduce drift from the intended state.
Monitoring provides a comprehensive overview of complex network environments, whilst assurance provides a real-time view of the network, its activity, and potentially, any issues. This not only ensures that network managing team are proactively aware of potential issues and their impact, but it also ensures that monitoring and managing teams are seeing the same thing and can align on issues with ease.
Integrating the two platforms together is made easy by the Centreon IP Fabric connector. It only needs to be configured once, and it immediately opens the possibility to fully monitor the entirety of your network environments. Solutions Architect Sebastien D’Argoeuves explains how to connect the platforms here in more detail.
Monitoring and assurance are really just different sides of the same coin – they both care for network health. Possibly the best way to sum up the relationship between the two is that monitoring goes wide, whilst assurance goes deep.
In a modern networking landscape in which businesses are hyper-reliant on continuous connectivity (as Centreon puts it, there’s no separating IT performance from business performance), and where downtime can cost companies hundreds of thousands in revenue, reaching network nirvana is one step closer when network monitoring and network assurance solutions are integrated.
Want to see Network Assurance in action for yourself? You can try out our free self-guided demo here.
Prefer the personal touch? You can also reach out to request an obligation-free demo with a member of our team here.
As we strive to make 2023 our best year yet, our development team has been hard at work improving our platform. With the release of version 6.1, we’ve introduced new support and features to help you take your network operations to the next level!
Network Address Translation (NAT) is a common technology used on firewalls, translating the IP address used by the host when the user wants to connect to applications in our internal network. The translated IP address is a key piece of information used to identify the user.
We have introduced Network Address Translation (NAT) support for the following vendors:
We have added basic support for new vendors, expanding our supported vendor list – devices from these vendors can now be found during the IP Fabric discovery process:
Aside from these new additions, we have also been busy expanding the support for some of our other previously introduced vendors:
Forcepoint - In 6.0, we added basic discovery for Forcepoint devices – With 6.1, we have expanded discovery to include more detailed information, including on firewalls and IPsec VPN.
Brocade – We have introduced stack support, and end-of-life (EoL) information.
Ruckus - EoL information has also been added.
AWS – We have updated the IAM policy (NOTE: If AWS discovery was already configured, it will need to be updated to include the IAM change).
We added support for FabricPath in end-to-end path tracing for Cisco.
We have implemented support for devices implementing policy-based routing configurations for Cisco (IOS, IOS-XE, NX-OS), FortiGate (Fortinet), and HP (Comware) devices.
You can download our datasheet for a comprehensive list of our current features.
Want to find out how IP Fabric works for yourself? Feel free to check out our free guided demo here.
Prefer the personal touch? Reach out here to schedule an obligation-free demo with a member of our talented team!
Just before we turned our attention toward 2023 and the exciting possibilities that come with it, IP Fabric had one more chance to get out into the world and make some noise about Network Assurance. From 6th – 8th December, our US team gathered in glitzy Las Vegas at the fabulous Venetian Resort for the US edition of Gartner IOCS!
Much like the European version of the event, there were plenty of chances for our team to discuss network assurance and the benefits of IP Fabric with I&O leaders from a wide variety of industrial sectors!
IP Fabric was represented in Vegas by US Channel Sales Director Stefan McKinney, Enterprise Channel Lead Nick Abbaticchio and Solution Architects Cristian Cordero and Dan Kelcher. The team had nothing but positive things to say about the conference, particularly around the conversations that they were able to have with other attendees:
"There were plenty of constructive conversations and demos happening all the time. It was definitely bustling around our booth - So much so, that we could have even done with an extra TV monitor for the booth! It's great to see how much 'Automated Network Assurance' seemed to resonate with a lot of people" - Cristian Cordero
"This is probably one of the best conference experiences that I have had so far. It was great to see how engaged people were with both us, and the possibilities that the platform can provide" - Nick Abbaticchio
"We had a ton of good conversations at the booth and throughout the event. It was exciting to see how interested so many people were with what IP Fabric has to offer" - Dan Kelcher
Aside from some standout conversations, possibly the biggest standout moment for our team came when Dan had the opportunity to deliver a talk on the many benefits of Network Assurance. Titled ‘Promoting Agility, Availability and Compliance Through Network Assurance’, the session was a massive hit with conference attendees, resulting in a packed-out room!
In our opinion, there aren't many better ways to cap off a year!
To find out for yourself how you can leverage Network Assurance to promote your network agility, availability, and compliance, reach out and request a demo here. Feel free to follow us on LinkedIn and on our blog, where we regularly publish new contents and insights.
The IP Fabric team had the chance to attend the UK version of the Gartner IOCS conference in London from 21st - 22nd November. Represented by Global Channel Development Lead Joe Kershaw, Senior Channel Managers Belema Roberts and Riccardo Guglielmi, Solution Architect Alex Gittings and Product Evangelist Daren Fulwell, the conference was simply another unmissable opportunity for our star-studded cast of networking protagonists to spread the word on Network Assurance!
The two-day conference, hosted at the O2 arena in London, was based around the theme of empowering the "Anywhere Business", and was attended by Infrastructure & Operations (I&O) leaders and vendors alike. The team had the chance to speak with a selection of I&O leaders from a wide variety of sectors, ranging from retail and manufacturing to finance.
Here's what the team had to say about the event:
“Hearing first-hand how I&O leaders view network automation and its importance in driving positive business results gave me valuable insights into what they care about. Discussing how IP Fabric is foundational in removing barriers to network & automation projects was very well received by Gartner’s audience - I consider the event to have been a huge success”" - Belema Roberts
"The quality of the conversations that I had at Gartner IOCS were great. I gained a lot of new insight into the challenges facing enterprises and that is always extremely valuable for me" - Riccardo Guglielmi
"The IOCS conference gave us access to innovation-focused executives and leading practitioners. The discussions we had were fruitful and, in some cases, very well aligned. The outstanding realization was that organizations across all sectors are piling investment into new technologies as they seek to improve control and security across their network. However, many are unaware that technology exists which can help accelerate and de-risk the new technology rollouts whilst helping to abstract the inherent complexity of multi-vendor, multi-domain networks, to ease integration and operation. It was a pleasure to surprise many of these professionals with a view into just how easy Network Assurance can actually make things" - Joe Kershaw
Aside from sparking insightful conversations around the topic of reimagining networking operations with network assurance, Daren had a speaking slot to sink his teeth into. The talk given by Daren, which delved into de-risking automation to maximize value from infrastructure and cloud investments, was well-received and garnered a lot of engagement from the rapt audience in attendance.
The event also gave attendees the chance to unwind and get to know each other - At the end of the first day, the conference hall was transformed into a reception for all attendees, with lots of food and drink on offer for people to enjoy.
Avid football fan Daren even got the chance to meet England, Watford and Liverpool football legend John Barnes at the conference. What better way for Daren to cap off the conference than by having the chance to dive into some old-school football nostalgia with one of England's finest!
To find out how IP Fabric can help you to reimagine your own networking operations, request a demo here. Also make sure to follow us on LinkedIn, and on our blog, where we publish new content regularly.
Fall is here, and with it comes some of our favorite things - the beautiful auburn fall foliage, pumpkin spice, and the chance for IP Fabric to spread the word on Network Assurance at ONUG Fall 2022!
From 19th to 20th October, vendors and guests from a wide variety of sectors gathered at Center 415 in New York City for the fall edition of the biannual ONUG conference, and IP Fabric wasn't going to miss out! Solution Architects Dan Kelcher, Justin Jeffrey, and Senior Channel Sales Manager Nick Abbaticchio were on hand to demonstrate the power of Network Assurance and network with like-minded tech enthusiasts and business leaders.
With the conference being hosted in-person and virtually, there was lots to see, and lots to do. Dan, Nick and Justin had the opportunity to discuss the benefits of IP Fabric's Network Assurance platform with interested visitors at our booth, sparking many insightful, thought-provoking conversations for visitors and our team alike!
Here's what Nick had to say about the event - "ONUG was definitely worth attending for the interesting conversations that we were able to have. The opportunity to spread the word on Network Assurance is always valuable, and the chance to build and develop new and existing relationships was reason enough for us to come".
Dan was also pleased with the conversation that was sparked by demonstrating IP Fabric to fellow visitors, and he even noticed a common theme following a lot of demos - Everyone that we demoed the platform for had a similar reaction, and asked the same question that I did when I first joined IP Fabric - "Where has this tool been my whole career?"
In-person and online attendees were also treated to an insightful talk from Justin. Titled "Network Assurance Will Revolutionize Your Network Operations!", Justin discussed how IP Fabric can help to automate the collection and analysis of network data, as well as model end-to-end networks to replace error-prone and inefficient processes. The talk was well received, sparking questions and discussion from an engaged audience.
Aside from getting to discuss all things tech with likeminded individuals, there were also competitions and prizes to be won throughout. The opportunity to spend a couple of days in New York City to take in the sights and unique city atmosphere while spreading the word on Network Assurance was another reason why the IP Fabric team simply couldn't pass up on ONUG Fall 2022!
Follow us on LinkedIn, and on our blog, where we regularly publish new content. Want to find out for yourself how IP Fabric can help you to revolutionize your networking operations and processes? Request a demo here.
This article was co-authored by Dan Kelcher, Solutions Architect at IP Fabric
In part 3 of this series on PCI compliance, we covered how you can satisfy parts of requirements 1 and 12 of the PCI DSS by leveraging IP Fabric to obtain a complete network inventory and to visualize your network with up-to-date topological overviews and network diagrams. So now that you have this inventory (including end-of-life data and vendor-suggested replacements), and a network diagram that can be updated ad-hoc without reliance on manual documentation, you can begin to investigate the dataflow within your network and further protect yourself from any potential issues during your next PCI compliance audit.
Let's dig in and see how IP Fabric's path tracing capabilities can allow you to satisfy some additional requirements set out by the PCI DSS. In this series entry, we will partially cover further sub-requirements within requirement 1, as well as part of requirement 11, as set out by the PCI DSS.
Here are the specific requirements within 1 and 11 that can be satisfied using the path tracing function:
As mentioned in part 3 of this series, requirement 1.2.4 touches upon path tracing. The requirement itself states that enterprises possess an accurate dataflow diagram, maintained to meet the following: a) It shows all account data flows across systems and networks, and b) it is updated as needed upon changes to the environment.
1.3.1 specifies that inbound traffic to the card data environment (CDE) be restricted to only necessary traffic, with all other traffic being specifically denied. All unauthorized traffic cannot be able to enter the CDE. This is intended to prevent "malicious individuals" from accessing the network via unauthorized IP addresses.
1.3.2 stipulates that outbound traffic from the CDE be restricted to only necessary traffic, with all other traffic being specifically denied.
1.4.1 mandates that Network Security Controls (NSCs) be implemented between trusted and untrusted networks, so that unauthorized traffic cannot traverse network boundaries between those trusted and untrusted networks. This requires an examination of configuration standards and network diagrams to verify that NSCs are defined (1.4.1.a), and that these are in accordance with documented configuration standards and network diagrams (1.4.1.b).
1.4.2 requires inbound traffic from untrusted networks to trusted networks be restricted to: a) communications with system components that are authorized to provide publicly accessible services, protocols and ports, and b) stateful responses to communications initiated by system components in a trusted network, with all other traffic being denied. Essentially, only authorized traffic or responses to a system component (in the trusted network) can enter from an untrusted network.
1.4.4 requires system components that store cardholder data (CHD) to not be directly accessible from untrusted networks. This requires an examination of the dataflow and network diagram to verify that system components storing CHD are not directly accessible from said untrusted networks (1.4.4.a). Also required is an examination of NSC configurations to verify that controls are properly implemented to ensure that CHD-storing components are not directly accessible from untrusted networks (1.4.4.b).
11.4.5 states that if segmentation is used to isolate the CDE from other networks (see part 2 for more detail on network segmentation and PCI compliance), penetration tests are performed on segmentation controls. This must be performed AT LEAST once every 12 months and after changes to segmentation controls and methods. The CDE must be confirmed as sufficiently isolated from all out-of-scope systems.
1.2.4 – By providing a source and destination within your network, IP Fabric can show the path that data takes through the network. These can be generated on-demand or configured to run automatically. The ability to generate these on-demand helps to satisfy requirement 1.2.4, as administrators can run these regularly to ensure they are kept current and accurate. This also provides an easy view of all devices that would be in-scope for a PCI compliance audit, meaning any devices within that data flow would need to be PCI compliant.
How does it work? When a snapshot of the network is taken, IP Fabric captures the state of each device, including CDP/LLDP, MAC table, and routing table information. That data is used to determine the relationship between devices. A graphical topology can be built from that relationship information.
In the above diagram, the traffic flow starts at the top left, from host 10.33.230.2 in site L33. The router L33R4 has equal-cost load balancing, splitting traffic across two paths. The traffic flows through an MPLS network to the L81 site. The presence of the transit cloud in the lower left indicates the flow traverses through a device (or multiple devices) that IP Fabric does not know (often this would be a service provider’s network). The traffic finally reaches the destination on L81R5.
1.3.1 and 1.3.2 - Using the same path tracing tool allows you to determine whether traffic can enter or exit the CDE. A trace can be performed using specific source and destination IP addresses or using CIDR blocks and can include a defined protocol and port. This also allows for validation of the NSCs in place to ensure that only necessary traffic is flowing through these points. When a path trace is created, an intent rule is generated based on the intended status of that flow, be it pass or fail. Any deviation from what is expected or planned can be remedied by reinforcing the relevant NSCs to prevent any unnecessary traffic from entering, or exiting, where it should not be.
The above table shows the status of the path verification rules. The 5-tuple for each test is listed, along with the expected state (all allowed, or none allowed), the state of the test (all, part, or none of the traffic allowed), and the result which shows why traffic was blocked. The state is also color-coded, with green meaning the state matched expectations, and red signifying a deviation.
1.4.1 – Of particular interest within this requirement are 1.4.1.a and 1.4.1.b - These sub-requirements stipulate that configuration standards and network diagrams are verified (1.4.1.a), and in accordance with the documented standards for configuration standards and diagrams (1.4.1.b). With path tracing, you can determine where these NSCs are located, how they are configured, and whether this is sufficient to segregate trusted and untrusted networks. IP Fabric can also provide you with security assurance - You can standardize the management of your configurations and ensure that these align with your documented configuration standards required under 1.4.1.b. Standardizing the configuration management of NSCs reduces manual effort - Saving you additional time, effort, and brainpower in ensuring your NSCs are configured in accordance with your documented configuration standards before your next PCI compliance audit.
1.4.2 – Similarly to the requirements in 1.4.1, path tracing of the network and dataflow diagrams can be used to determine the flow of traffic between trusted and untrusted networks. As this requirement also stipulates that NSC configurations (and vendor documentation) be verified to determine if inbound traffic from untrusted to trusted networks is sufficiently restricted, IP Fabric’s security assurance can once again be used to standardize configuration management and ensure that these are sufficiently hardened against unwanted accesses.
1.4.4 – This requirement is also quite similar with regards to how IP Fabric can help. Using the network diagram that you have already built, you can verify if system components that store CHD are directly accessible from untrusted networks. Under 1.4.4.a, this means you have to verify your network and dataflow diagrams to ensure there is documentation that system components storing CHD is not directly accessible. Under 1.4.4.b, NSC configurations must be verified to ensure controls are in place to ensure CHD components are not accessible from untrusted networks. Again, with path tracing, and the ability to standardize configurations, you can ensure that these components are sufficiently protected and hardened against access from untrusted networks.
11.4.5 - As discussed in part 2, using your dataflow and network diagrams established by IP Fabric, you can verify whether you have sufficient segmentation in place. By locating the appropriate environments, you can verify whether segmentation is effective, prior to the investigation by an independent auditor.
Here's how simple IP Fabric makes this process:
This process can also leverage the API and webhook capabilities of IP Fabric. New path checks can be added programmatically and included in automation workflows. Webhooks can be configured to push information on failed intent checks into other platforms.
IP Fabric uses network configuration and state data to build out a representation of the network topology and can then determine how traffic would flow through the network, giving you all of the information that you need before your next PCI compliance audit. Adding intent rules to these path checks quickly and easily allows teams to identify problem areas. This visibility extends from a global topology view, down through a device level and into the detailed decisions made by network devices. That level of visibility simplifies both the environments' compliance state, as well as the process of gathering evidence to support either confirmation of compliance or the need for changes to achieve PCI compliance.
Follow us on LinkedIn and our blog, where we publish new content on a regular basis. For more information on how IP Fabric can help you to get to know your entire network inside and out, please request a demo here.
This article was co-authored by Dan Kelcher, Solutions Architect at IP Fabric
This article was co-authored by Dan Kelcher, Solutions Architect at IP Fabric.
Congratulations, you've made it this far. You know what PCI compliance is, and why it is essential that your enterprise pass its compliance audit (covered in part 1). You now also know how to limit the scope of your upcoming audit to save you time, effort and a nasty headache thanks to the benefit of properly implemented network segmentation, aided by IP Fabric (covered in part 2). Surely it should be plain sailing now? Think again! Now you have to ensure that your enterprise network actually satisfies the 12 requirements set out by the PCI Security Standards Council (PCI SSC) in their Data Security Standards (PCI DSS).
As we have previously stated, IP Fabric can NOT help with all 12 requirements listed in the PCI DSS. What IP Fabric can do, however, is give you peace of mind and help you be sure that certain requirements are met. IP Fabric is a very useful tool that can help you at least partially cover some of these requirements. When utilized together with other means, you can be sure that you aren't left in the dark about your own network.
In this piece, we will begin to dive into how IP Fabric can be leveraged to cover some of the PCI DSS requirements by providing you with a complete network inventory, and an up-to-date visual representation of your network estate. Let's get into it!
The PCI DSS requirements relating to inventory are covered in point 12. It does seem odd to start with the last of the 12 requirements for PCI compliance, but ensuring you have the relevant, up-to-date documentation of your network inventory and end of life plans is essential to consider first. Doing so allows you to avoid any nasty surprises down the line. It's kind of like owning a house and trying to keep it secure from intruders. You need to know all of the access points in the house, and you can't lock a door that you don't know that you have.
Requirement 12.3.4 requires enterprises to review their in-use hardware and software technologies once every 12 months. This includes ensuring that the technologies receive security fixes from vendors, whilst continuing to support PCI DSS compliance, and that end of life (EoL) plans for technologies are in place. These plans also need to be documented and approved by senior management.
Requirement 12.5.1 obliges enterprises to have an inventory of system components that are in scope for PCI DSS, (including descriptions of their function/use), which is maintained and kept current. System components are defined as network devices, servers, computing device, virtual components (virtual machines, switches, routers etc.) as well as cloud components and software.
12.3.4 - During the discovery process, IP Fabric connects to supported network devices (there are hundreds of supported models across dozens of vendors) to collect configuration and state data, including make, model, and serial number. This is then compared against published EoL data from the hardware manufacturer.
Published end of life data from several hardware manufacturers is included and updated quarterly to show the EoL status across the environment. With the information made readily available, you can begin to plan lifecycle management for your hardware. IP Fabric can help you formulate your plans by giving you the necessary information that you need.
Our platform can even help you take your lifecycle management planning to the next level. Wherever possible, the data presented in our platform will include vendor suggested replacements, meaning that you not only know when system components will reach end of life, but you also have the necessary information to ensure replacing them is as seamless as possible, and doesn't leave any gaps in your network.
In addition to hardware information, software data is also collected. One of the most crucial features of IP Fabric is the ability to create intent rules. Intent rules can check to identify potential outliers or problematic areas within your network. An example of this would be to find what percentage of devices are running the same OS version. This could identify if OS updates aren’t being consistently applied, or if a device is running a version that hasn’t been validated. The intent rules feature will be covered in more detail in a future entry in this series!
12.5.1 - This one seems a little obvious given the nature of our platform. The snapshots that you can take using IP Fabric can be configured with granular scheduling, which might be at the start and end of standard maintenance windows, or at any other interval required. If a change occurs outside of a normal maintenance period, a snapshot can be manually created. The result is your diagrams are accurate at all times, ensuring that the inventory is "maintained and kept current', as stipulated by the PCI DSS.
Once you have taken a complete inventory of your network with IP Fabric, you can then move on to building a topology of your network. To accomplish this, IP Fabric uses state information learned from each device to build out the topology diagrams dynamically. The data can be used to path trace through your network to identify potential issues regarding your card data environment (CDE) - We will cover IP Fabric's path tracing capabilities and how they relate to PCI compliance in a future entry in this series. For now, the PCI DSS requirements relating to topology are contained in requirement 1.
Requirement 1.2.3 states that enterprises must maintain an "accurate network diagram" that shows all of the connections between the CDE and other networks, including wireless networks. 1.2.3.b also requires enterprises to verify that documentation and network diagrams are accurate and updated when there are changes to the environment.
Requirement 1.2.4 posits that enterprises possess an accurate data-flow diagram, maintained to meet the following: a) It shows all account data flows across systems and networks, and b) it is updated as needed upon changes to the environment.
1.2.3 - The snapshot process of IP Fabric discovers your network, then allows you to visualize your network in topological diagrams. Leveraging data from both Layer 2 (CDP, LLDP and MAC address tables) and Layer 3 (routing and ARP tables) protocols, IP Fabric builds a full view of the network. The output of this is a dynamic logical diagram that shows not only Layer 1 connectivity, but also Layer 2 and Layer 3 topology.
1.2.3.b - Here is another requirement that documentation and network diagrams be accurate. The dynamic nature of IP Fabric’s snapshot-based system ensures that network diagrams are regularly updated. This can be as often as the snapshots are scheduled to occur, or if a more current update is needed, a new manual snapshot can be performed, or individual devices can be refreshed in an existing snapshot. Additionally, a comparison can be performed to identify any topology changes that may have occurred between two snapshots.
1.2.4 – Provide the platform with a source and a destination, and IP Fabric can show the path taken through the network. These can be generated on-demand, or they can be configured to run automatically when new snapshots are created. We will cover this in more detail in a future entry in this series, but it is also worth noting here.
IP Fabric’s discovery and snapshot feature can be used to ensure that some of the essential PCI DSS requirements are satisfied before your next audit, by arming you with the essential information you need regarding your network inventory and topology. Whilst these capabilities only touch on some of the PCI DSS requirements, the ability to visualize your network estate is something we consider invaluable, especially with a PCI compliance audit on the horizon!
Check back soon for part 4 of our in-depth analysis on IP Fabric and PCI compliance, where we will cover how IP Fabric’s path tracing capabilities can be leveraged to cover more PCI DSS requirements. Feel free to follow us on LinkedIn, or on our blog, where new content will be emerging regularly. To find out more about how IP Fabric can help you take your network operations to the next level, request a demo here.
This article was co-authored by Dan Kelcher, Solutions Architect at IP Fabric.
Co-authored by Solution Architect Dan Kelcher and content specialist Alex Bonehill
So, you have a PCI compliance audit looming in the near future - You know what the requirements are, as set out by the PCI DSS, and you are aware of the multitude of potential penalties if you can't prove that your system is compliant. So you should have all the information you need to pass this audit, right? Not exactly. When a PCI compliance audit is performed, every single part of your network which touches, stores, or processes sensitive cardholder data (CHD) and/or sensitive authentication data (SAD) needs to be audited. This includes any areas of your network that may impact the security of the environment storing CHD/SAD.
To be more precise, PCI DSS requirements apply to system components, people, and processes that store, process, and transmit CHD/SAD, as well as system components that might not store, process, or transmit CHD/SAD, but that have "unrestricted connectivity" to the components that do. System components, as defined by the PCI SSC, include network devices, servers, computing devices, virtual components (virtual machines, switches, routers etc.), as well as cloud components and software.
Therefore, knowing the 12 requirements and the litany of sub-requirements essential for PCI compliance is not necessarily enough - You need to know exactly what in your network is considered in-scope for the audit. But your network may contain tens of thousands of interconnected devices, paths and configurations. It could also span across multiple international locations being maintained by different teams, and there may be a massive group of people with access to segments housing CHD, some unnecessarily so. Sorting through all of this manually will surely result in a stress-induced migraine, and massive costs for your next audit.
It is essential that you know exactly how much of your network is subject to audit before it starts - It could be a lot more, or a lot less than you think. IP Fabric can help you to limit the scope of your next PCI compliance audit, thus limiting the complexity, time and cost of your upcoming assessment. Let us explain how.
When preparing for an audit, we have already established that knowing your network is essential, as it allows you to determine how much of your estate actually needs to be audited. To this end, there is one particular best practice to consider here, which is even included by the PCI SSC in its document on Security Standards - Network segmentation. Network segmentation is the practice of using device rules or ACLs to restrict connections and access between specific devices and services within the internal network.
By controlling how traffic flows through the paths of your network, you can achieve granular-level control and insight regarding your network. The uses of network segmentation include limiting the flow within your network by source, destination, or by traffic type. When dealing with the CHD environment in your network, using segmentation means a reduction in the number of users and devices that would have access to segments on which CHD is stored.
IP Fabric's comprehensive discovery feature allows you to visualize your entire network estate through topological diagrams, which can be viewed on different protocol levels. The feature utilizes snapshots, either scheduled, or on-demand, to discover the devices and applications within your network and how they are connected to each other. This feature can also be used to simulate entire end-to-end paths.
During the discovery process, IP Fabric connects to switchers, routers and firewalls and, based on state information, understands how devices are connected. Additionally, IP Fabric is able to interpret the rules applied to these connections, allowing for end-to-end simulation of traffic flows through the network.
Having access to the state information, topology and rulesets of your network, you can specify any network or device in the environment and identify if it is capable of accessing a destination which stores CHD/SAD. This allows you to validate whether the CHD environment is sufficiently isolated from the rest of your network. If so, these isolated areas do not needs to be audited. If the areas of your network that do house CHD are not sufficiently isolated from your other network components, then you have all the information you need to implement proper network segmentation, thanks to IP Fabric.
This last point, that is, the ability to validate the effectiveness of your network segmentation and adjust it accordingly, is particularly helpful when considering that a PCI compliance audit includes an examination of the segmentation implemented in a network. Using IP Fabric, you can not only limit the scope of your assessment, but also validate that you really are covered with effective segmentation, avoiding any nasty surprises come auditing time.
Identifying the network segments that store CHD also limits the number of people within an organization that need to be audited - The process of limiting the number of people subject to a PCI compliance audit is sometimes referred to as "descoping". Without IP Fabric, the cost of a compliance audit could be astronomical, given that you may not have a way of proving who has access to which parts of your network. If you can't say with certainty that a particular person DOESN'T have access, then they will be included in the audit for the sake of avoiding a potential, unnecessary data breach or running an incomplete assessment.
Unsure of whether your access restrictions are sufficiently configured or deployed correctly? The data collected from your network by IP Fabric includes the behavior of interconnection points between network segments and the deployed policy - The data collected can be viewed in tabular form or path lookup simulation to ensure data is flowing through these enforcement points as planned. The data is also accessible via API, which can be integrate into other tools.
Leveraging single sign-on (SSO) and role-based access control (RBAC), granular permissions to view this data can be applied to anyone in an organization, opening the door for data democratization. You can ensure that the relevant people are able to keep up to date on whether your network is correctly segmented with the appropriate level of security, ensuring that you can be certain regarding what is in, or out, of scope for your next audit.
Check back soon for part 3 of our in-depth analysis on IP Fabric and PCI Compliance, where we will cover the PCI DSS requirements that IP Fabric can lend a helping hand to.
Follow us on LinkedIn or on our blog, where new content is emerging regularly. To find out more about how IP Fabric can give you and your business peace of mind, request a demo here.
Co-authored by Solution Architect Dan Kelcher and content specialist Alex Bonehill
PCI compliance is a hot topic that has to be addressed by any organization that accepts, transmits, or stores private cardholder data (CHD). To this end, the PCI Security Standard Council (PCI SSC) has set out twelve key requirements, referred to as the PCI Data Security Standards (PCI DSS). Organizations must be able to prove that they abide by these standards in order to be deemed PCI compliant. But what do they have to prove exactly?
The requirements consist of technical and operational standards that businesses must follow to secure and protect card data transmitted through card processing transactions. The requirements listed by the PCI SSC are as follows:
Ensuring compliance with these twelve requirements is essential for businesses - whilst there is not currently a specific legal mandate in place that requires organizations to prove PCI compliance, it is regarded as mandatory through both previous court precedent, and organizational requirements to maintain a secure environment for sensitive CHD. Failure to meet these requirements can result in fines of $5,000 per month and can even extend to having the ability to accept credit cards being revoked. This is without even mentioning the possibility of having a lawsuit levied against an organization in case of any data breaches involving CHD. Aside from these ramifications for failure to ensure compliance, it is also a good business practice for ensuring customer trust and maintaining a favorable brand reputation that emphasizes data security.
So now that we know what the 12 requirements are, and what could happen if these are not satisfied, it should be plain sailing towards PCI compliance, right? Not necessarily.
Ensuring compliance can be a daunting task, as the list of technical requirements, coupled with the often-complex nature of enterprise-level networks in this modern age, can lead some to rightly worry about whether they are fully covered in the face of an upcoming PCI compliance audit. Even those organizations that are currently PCI compliant should not rest on their laurels, with the new PCI DSS 4.0 release on the horizon. From March 31st, 2024, release version 3.2.1 will be retired, with the new 4.0 standard due to be released in its place. Consisting of 360 pages, complete with a change document comprising 20 pages of changes, the 4.0 release is bound to feature a number of curveballs for organizations – from new requirements being introduced, to some previous recommendations becoming binding requirements. A compliant system today, may not be so come 2024.
In order to determine whether some of these compliance requirements are met, and in the face of these upcoming changes in 2024 with the PCI DSS 4.0 release, it is essential that businesses first know their network. This in itself could be considered an essential pre-requisite to determining compliance for many organizations, and this is where IP Fabric can help.
In this short series of blog pieces, we will dive into how IP Fabric’s Automated Network Assurance Platform can help you gain full visibility of your network and can give you the insight you need when determining the scope of your next PCI compliance audit.
IP Fabric is not a one-sized-fits-all tool that will help you conquer PCI compliance, meaning that not all of the 12 PCI DSS requirements will be covered in this short blog series.
Instead, our platform is able to assist you by providing a detailed visualization and overview of your network at a point-in-time, which can be used to verify some of the essential requirements set out by the PCI DSS, and also help you to limit the scope of your next audit to only the necessary components of your network, saving you both time and additional cost. Think of IP Fabric as part of your toolkit for ensuring PCI compliance - It can't do everything, but if used correctly, it can greatly relieve the burden of ensuring PCI compliance and make matters simpler.
Check back soon for the first part of our in-depth analysis on how IP Fabric can help provide you with the assurance you need before your next PCI compliance audit.
Please follow our LinkedIn or blog, where we are sharing new content regularly. If you are interested in seeing what IP Fabric can do to help you gain visibility in the darkest corners of your network, please request a demo.
The 2022 KTS Conference hosted by our partner, Vector Solutions, took place in Gdynia, Poland on the 21st and 22nd June 2022, and IP Fabric was in attendance for the first time! The 19th edition of the 2-day broadband technology conference saw 300 participants and 80 companies descend upon the coastal town of Gdynia to discuss a wide range of topics, including artificial intelligence, distributed network architectures and the automation of network management.
The event included a variety of fascinating talks on the latest technologies and trends and proved to be a great opportunity to introduce IP Fabric to a new audience. We were represented at the conference by Solutions Architects, Milan Zapletal, and Vitězslav Savel, one of our Senior Channel Development Managers.
Both Milan and Vitězslav had the chance to speak at the conference. On day one, Vitězslav held an informative talk titled “What Do You Need to Start Automating Your Network”. The talk focused on how enterprises can begin the process of automating their network, and what potential organizational barriers currently exist that are holding them back from doing so.
On day 2, Milan followed up with a talk on “How to Increase Cybersecurity with Data Models”. Both talks were well received and introduced the audience to the possibilities that IP Fabric has to offer!
In between talk sessions, visitors gathered in the main event room, where both Milan and Vitězslav were on hand at IP Fabric’s stand to network with visitors from other companies and further explore the wide range of benefits that IP Fabric has to offer.
Both Milan and Vitězslav viewed the event as a success - “The 2022 KTS Conference was a great opportunity for us to introduce IP Fabric to a new audience and raise brand awareness, particularly in a new country. We also greatly appreciated the chance to strengthen our partnership with Vector Solutions and make new connections with some of our partner’s affiliates.”
The conference also gave visitors the chance to unwind and take part in some interesting downtime activities and work on their teamwork skills. A boat building competition was held on the Gdynia waterfront and guests also had the exciting opportunity to ride in a speedboat. The conference was punctuated by a beach party, which allowed people to network with each other in a casual setting and unwind after a long day of discussing the latest in technological trends.
Please follow our company’s LinkedIn or Blog, where we are generating new content regularly. If you are interested in seeing what IP Fabric can do to help get you on the path to automating your network operations, please request a demo.