SSH and PCI on Insecure, Dirty Side



  • Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side? Isn't that outside the scope of the PCI code?



  • Does current PCI code require SSH connections be restricted to enumerated (specific) client IP addresses on the unsecure, dirty side?

    Not really. PCI dictates that there should be firewall rules in place to limit access, but if you can justify an any -> 22/ssh rule, then you've satisfied PCI.

    Isn't that outside the scope of the PCI code?

    Well, requiring firewall controls is within PCI scope; see §1.2 and §1.2.1 specifically. Interpreting whether the rules you've implemented are secure or insecure is up to the QSA; if you permit protocols like FTP or Telnet which are unencrypted, you need to show compensating controls. But there's no blanket prohibition of any -> ``` rules, which seems to be what you're asking about.

    This of course assumes that the device falls within scope, e.g., is part of or connected to your CDE. It sounds from your comments as if the device is completely disjointed from the CDE, in which case DSS doesn't apply. If you're trying to determine if something is in scope or not, I recommend the Guidance for PCI DSS Scoping and Network Segmentation



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2