Linux PCI Host

Instituting 'Defense in Depth' for PCI Compliance on a Linux Platform

By Terry Newbury 4/23/11

This article is going to tell you how to institute 'defense in depth' to ensure PCI compliance on a Linux platform. Before we go ahead with the details, you'll obviously want to know what defense in depth actually means. Now the entire basis of defense in depth is that your integral server has layer upon layer of security that ensures that intrusion is almost impossible.

There are several possible points of entry into any system. Entry can be physical, by someone actually accessing the hardware of the system. Then, entry could be through the network. Entry can be through a process or through a kernel operation. And finally, entry can be through the file system. Now, instituting defense in depth means that you defend each layer from a possible intrusion.

Your first step is to restrict access to your main server by physical means. What this means basically is that you lock the server into a room that just has one point of entry, and heavy security at this point. No one except authorized personnel can get in or out. You must include powerful forms of physical security here, including a guard or guards, and a fingerprint scanner. Also, and this might be obvious, you might restrict authorized personnel to the very minimum: no more than one to three people at best. Another standard precaution is to ensure that there is closed circuit monitoring of the room and of the entry point all times.

The next layer of security is the network. This needs to be protected by placing it in a separate segment of your LAN, and obviously protected by a firewall with excellent security protocols. TCP wrappers can add additional security to this system by making sure that only a very few machines with authorized access are able to connect to the crucial server.

Finally we come to your operating system itself – a prime point of entry for many hackers and intruders who use sophisticated tools such as spy ware and viruses. Ensure that you have excellent anti virus defenses on your server to prevent entry at this level. There are other interesting tools on the market that can help you implement security against an intra system attack.

And now we'll talk about how you can defend against someone invading the file system itself. What you need to implement is a chroot environment. Now, a chroot environment ensures that if a server actually is compromised, its access to crucial data areas of the system can be automatically limited. Another file system defense is to ensure that certain people only have access to certain portions of the file system and that nobody has actual access to the entire whole. And the last and obvious defense is of course to encrypt all data that is stored within the file system.

So why is this 'defense in depth' necessary? Because if you only defend against an attack through one layer, you might find that quite surprisingly an attacker could invade your system through an entirely different layer and one that you have no defense against.

For example, most companies institute firewalls and anti virus defenses, but what if someone were simply break into your office and to steal your main server. Ah, that would be a disaster, wouldn't it? And they would then be able to hack into your system at their leisure, and you would in this way fail to implement defense in depth, leaving your crucial data wide open to being hacked and compromised. This is why physical security is just as important as network security or file system defenses.

Now one bit of advice that I always give newcomers to the concept of PCI compliance is to keep things simple. For example, if you institute two firewalls instead of one, what happens is you are making your system much more complex. And when you are making your systems more complex, you set the stage for people dealing with this complex system, your people, to make mistakes. And these mistakes, rather than a flaw in the firewall or firewalls themselves, are what will be taken advantage of by a hacker.

On the other hand, if you institute a good firewall with an excellent rule set, this simple system will be better understood by the people working with it, and thus far more effective and much safer. It's very rare that a company comes under a kind of attack that would justify having multiple firewalls. Well, perhaps if your organization is an online casino or a similar cooperation, it might indeed come under DOS attacks that could possibly justify having more than one firewall being implemented. However this case is an exception, not the rule, and usually the rule I mentioned about simplifying processes, so that your people find it easier to deal with the situation, stands.

Another last rule that I would like to mention is that when you do institute a security process, ensure that it is the best that you can possibly acquire. One good system is better that two flawed systems competing with each other.
All Rights Reserved 2001-2013