Recently Fluffy_Swim9634 posted the question "How to conduct a segmentation test for PCI?" on Reddit. I originally replied that perhaps it would be best if an external pentester did that job, but I thought I would elaborate as I've recently had some of my clients make a few mistakes with this requirement.
There are some key points to keep in mind when you are planning to conduct segmentation testing.
- You only need to do segmentation testing if you are trying to prove certain networks are out of scope of your assessment: Now, this is my number 1 for a reason, I had a client recently show me segmentation testing results, yet all of their network segments had some processing or storage of cardholder data, so they paid a bunch of money to a pentester for no reason.
- Not all entities must complete segmentation testing: Check with your acquirer, the SAQ you may need to complete may not require any testing of segmentation controls. For example, some of my clients have been instructed by their acquirer to complete SAQ B-IP, but to ignore this requirement.
- The tester must be qualified: The requirement explicitly states that the test must be "Performed by a qualified internal resource or qualified external third party.". So, if you have never run an nmap scan before, you may need to call in a third party (such as a pentester).
- The tester must be independent: The exact words are "Organizational independence of the tester exists.". This is definitely the point that gets missed most often. If you are the network/system administrator and you set up the segmentation controls, you cannot be the person who performs the test. And. if there is no one else in the organization with the skills to perform the test, you may be forced to hire an external resource.
-
Do not DoS your own network: I had a client who was fed up waiting hours for nmap scans to finish who thought he'd found the perfect solution. Masscan made testing of segmentation controls much quicker than using nmap, but with significant risk. According to Robert Graham, the creator of Masscan, the tool is capable of scanning a port on the entire internet in six minutes with the command:
That's all well and good, but spare a thought for your poor stateful firewall that will need to allocate a small portion of memory to its state table for each TCP request that is initiated. Take up all that memory and you'll have some angry colleagues knocking on your door in no time.1
sudo masscan 0.0.0.0/0 -p443 --rate 250000000 --exclude 255.255.255.255 - You need to produce a report: No use doing the testing if you don't have an artefact to give the auditor. Make sure you include what commands were run and from where.
If you’ve read this and still feel confident to proceed, we wish you the best of luck! If not, feel free to reach out, and we might be able to connect you with someone in your area who can assist with the necessary tests.