Wednesday, March 31, 2010

PCI and multiple servers

I noticed that a few web hosting companies out there recommend that you lease two servers when trying to reach PCI compliance. Which leaves me wondering, how can a small business afford to even be PCI compliant if this is a requirement?

PCI DSS compliance requires that "only one primary function is performed per server" (2.2.1). Because "primary function" can be interpreted different ways, on-site auditors (QSAs) will sometimes require 2 servers (one for the web servers and one for the database). The logic is that there is an increase risk for data breaches if there are multiple services on one box, giving a potential hacker multiple avenues of attack.

As a side note, many interpret "one primary function" to mean one collective function (e.g., one server is used for payments and thus can have a web server and database server to achieve this collective function). Moreover, you may be able to mitigate the danger of running too many services by never storing sensitive data in the first place (this is my recommendation).

So how is a small business supposed to do business online if a QSA happens to require 2 or more dedicated servers? A couple of cheap dedicated servers would run you about $300 a month.

I've not run this past a QSA but I wonder, why not use virtualization software like XenServer? Chuvakin and Williams, in their book PCI Compliance, talk about how virtualization can be effectively used to separate sensitive environments from other websites. With virtualization you can create multiple virtual machines (VM) on one server. Each VM acts as a separate server, completely isolated and contained. Each VM has its own resources and cannot take more than its share of CPU or memory. Because of this, for the purposes of PCI compliance, each VM could be considered an isolated server. Each VM could be used for separate tasks and they would be kept entirely isolated. It seems to me that this would be an acceptable solution for everyone involved.

Update: Stumbled across this article about virtualization and PCI compliance. Looks like they are working towards clearing up this area of the PCI DSS. Also, this PCI DSS expert believes that, "just like virtualization, running logical partitions that are segmented from each other doesn't violate what the council is trying to prevent" in requirement 2.2.1. Lastly, this QSA states that "Virtual machines need to be treated just like physical machines when assessing them for PCI
compliance" (pg 7).

Friday, March 19, 2010


"In the clarity of this morning, I'm thankful for sleep cycles that disrupt our progress, for children that stop your work and force you to keep someone you love alive, for the need to stop and eat, to stop and drink water, to stop and talk to friends. We buy billions of dollars in books that help us be more efficient, we praise the profit margin, and all the while, God is trying to slow us down, trying to remind us of what matters and what doesn't, trying to stop our human progress, stop our creation of false Gods." -- Donald Miller

Wednesday, March 17, 2010

BIND, Security and PCI Compliance

I get to go through some of the fun known commonly as PCI Compliance. PCI Compliance is a good thing on the whole, nevertheless, it is time consuming. Today I spent time on my DNS server. I use BIND, the open source name server that is very popular across the net.

Upon a PCI scan I got this warning: "Bind Banner." It was a result of my system telling the world what version it is running. This could help a would-be hacker determine if my system is old and if it is vulnerable to certain security holes.

To tighten it up a bit, I made some edits in my config file at /etc/named.conf

At the end of the "options" section of named.conf, I added these lines:

dnssec-enable no;
version none;
hostname none;

This disables or hides the display of the version number, the BIND hostname and disables DNSSEC (which PCI scans tell me is dangerous, even though it is intended for security).

Now, to check to make sure your BIND version is hidden (be sure to restart BIND, first), enter this into the bash command line:

dig -t txt -c chaos VERSION.BIND

If you want some protection against an easy DoS target, add this to your "external" view in named.conf:

additional-from-auth no;
additional-from-cache no;

"recursion no;" should be in there already and this will prevent your server from being an open DNS server for the world. These extra lines above will go a step further and prevent the display of root name servers for external queries. While this is just your DNS server trying to be helpful, your server should just ignore all external queries that are for domains you don't serve. (More info here.)

PS. Looking for a list of all the available options in BIND? Here is a good one, although there is not a lot of description, it does look complete.

Monday, March 15, 2010

Terms of Service - Don't Add This

Because I run a small business, I have to do everything – marketing, accounting, IT security, legal – on top of the real work of making the web site or application for my clients. When it comes to the big, confusing or time-intensive tasks, though, I am willing to pony up and pay the professionals (like when I do my taxes). Today I decided I should put on one of my many hats and take a look, once more, at my company's Terms of Service (TOS).

Interestingly, I came across this very helpful blog entry about including the famous "we can change this whenever we want and you have to check this website everyday for changes" clause that many businesses add to the top of the TOS. I always wondered about this. It doesn't seem quite fair – is it really legal? Well Eric Goldman argues that it can pretty much make your TOS invalid. Read here for more.