The Gobble-Gobble of Public Networks

Here in the US we celebrate and give thanks for the harvest on the fourth Thursday of November, one month after our Canadian brethren did.  Does security stop just because most companies in the US are closed?  Nope, in fact, I’d like to give a shout out to all of you folks taking the overtime pay to spend time babysitting your networks.  For you, I am thankful.

NOT a turkey (White peacock showing off his plumage, by be_khe)

The PCI Europe meeting has been the topic of several blog posts recently, and here’s yet another one inspired by the Q/A session at that meeting.

The Technical Working Group (TWG) must cringe when the definition of public networks is asked in a crowd.  I believe that this was one of those phrases left into the CISP, SDP, and PCI DSS from early revisions that the TWG now realizes may need to be adjusted in future versions.

First, let’s visit the existing definition provided by the Council:

Public Network
Network established and operated by a telecommunications provider or recognized private company, for specific purpose of providing data transmission services for the public. Data must be encrypted during transmission over public networks as hackers easily and commonly intercept, modify, and/or divert data while in transit. Examples of public networks in scope of PCI DSS include the Internet, GPRS, and GSM.

Now before you wireless gurus start tearing the last part of this definition apart, remember, those are EXAMPLES.  Yes, things like EDGE or 3G or EVDO or Wi-Fi could be included in that definition, but only if they meet the intent of the definition. The TWG likes to change the word “public” to “trusted” when asked questions about how to discern what types of networks fall into this classification.  If you re-read the definition in that light, is it a little less foggy?

The point is, if you are transmitting data over mediums where interception by an unauthorized third party is both likely and probable, and that medium is outside of your control and possibly exposed to the public, it’s going to fall into that bucket.  Let’s go through a few examples:

• Frame Relay: Generally considered a private WAN by the telco, so generally this is NOT considered public.  This can change if you share a frame relay with other companies or groups.  View the telco as a utility providing a service as they are not considered in-scope for this.
• Multiprotocol Label Switching (MPLS): This protocol and network design sparks furious debates among insiders.  The only way to tell if your implementation is considered public or private is to ask how each part of it is engineered.  Some telcos use public links to transmit portions of MPLS traffic, so you have to ask the question.  Although, in reality, using encryption (depending on your implementation) could fix this issue and render it all private.
• GPRS, GSM, EDGE, EVDO, WiMAX, and other wireless telco derivatives: It’s public.  Stop asking.
• Wi-Fi: Public.
• Telco-based microwave point-to-point: A bit tricky here.  PCI DSS does not get into this level of detail, but here’s how you should approach it.  From a PCI DSS perspective, if it is a telco-licensed circuit, it is compliant.  From a security perspective, you should consider encrypting over links like this and treat them like public networks.  I’m not saying that interception is probable today, I’m just saying that an ounce of prevention (encryption) is worth a pound of cure (breach cleanup).
• Modem: Generally considered private, again due to leveraging the telco.
• Point to Point T1/T3 or other circuits: Private, unless you are sharing that bandwidth with other parties.
• VPNs over high speed internet links: Private, as long as you are encrypting!  This departs from the definition and the requirements, because PCI DSS tells you to encrypt over public networks which is what started this discussion.  The only reason I bring this up is it is possible to create a point to point VPN WITHOUT encryption (I know, why would you do that?).
• Bluetooth: Do we even have to ask?  Rule of thumb, if at some point the traffic leaves wires and goes “through the air” (outside of a telco implementation), it’s public.
• Satellite: See above.  Make sure you have encryption on those links.  Most satellite providers have made a solution available for use in the last five years.

If there are others that you have dealt with that are not on this list, drop a comment below and I’ll update this list.

Ultimately, if you do your best to protect the data in general through encryption or devaluation, the means by which data gets from point A to point B are not important from a security perspective.

Possibly Related Posts:

• Selective Domain Filtering with Postfix and a SPAM Filtering Service
• PCI DSS 4.0 Released plus BOOK DETAILS!
• Preventing Account Takeover, Enable MFA!
• Proofpoint Patches URL Sandbox Bypass Bug
• Improve Outbound Email with SPF, DKIM, and DMARC

Tagged with: do it right, encryption, PCI community meeting