You can't secure what you don't acknowledge.SM

Thursday, September 4, 2008

PCI v1.2 = 802.1x for wireless? Yeah right!

Apparently the new changes in PCI DSS v1.2 (due out in October) are going to require more robust wireless security. As if no new WEP implementations after March 2009 and none at all after June 2010 weren't enough...Wireless must now be "implemented according to industry best practices (e.g., IEEE 802.1x) using strong encryption for authentication and transmission".

Yeah right!! So people using WEP not only have to upgrade their hardware but they've also got to take on the 802.1x beast for authentication and encryption? Maybe in the enterprise but not for SMBs. I suspect we'll either see a lot of wireless-centric PCI violations or SMBs will just yank their wireless altogether. Maybe it's time for me be a good time to invest in some of these wireless security vendors.

Hopefully I'm just interpreting the new requirements incorrectly.

4 comments:

  1. Hey Kevin, recently discovered your blog.

    Hands-down no more WEP; however, could this be assumed that SMBs can upgrade hardware to WPA/WPA2 supported devices, still use PSKs, and rotate them according to the current requirements in v1.1 if WEP is used?

    While this still can be costly for large retail outlets, this would reduce cost by not having to implement RADIUS servers or other authentication devices.

    ReplyDelete
  2. I think that remains to be seen...It would make sense to allow for WPA2-PSKs since they work really well.

    ReplyDelete
  3. Hi Kevin,
    PCI is not only mandating the strong encryption and authentication but also Wireless Analyzer / WIPS along with logging. For organziations which are geographically distributed with many small offices, its becoming really difficult to invest so much for just to go at each and every location and do wireless scan for rogue device detection.

    I want to know, if the implementation of 802.1x over my network switches across my organization can act as a compensating control to eliminate the requirement of Wireless Analyzer/WIPS.

    Can you plz look into this.

    ReplyDelete
  4. I don't see the requirement for a wireless analyzer and WIPS in the latest standard at https://www.pcisecuritystandards.org/security_standards/pci_dss_download.html.

    I maybe overlooking something...It looks like you can just implement industry best practices such as 802.11i (WPA version 2) and be set.

    ReplyDelete