Simple and Powerful Security for PCI DSSThe regulations AccessEnforcer helps check off your list.

Most merchants think they are too small to be targeted by hackers. In fact, their small size makes them a favorite target of data thieves and cyber criminals.

An astounding 96% of successful attacks on credit and debit card systems occur at small businesses1. The thieves can quickly sell the data on the black market and give businesses a damaged reputation and potential legal fees and �nes.

The payment card industry now requires all merchants to meet a data security standard called PCI DSS. Every business that accepts debit or credit cards must meet the requirements.

AccessEnforcer® from Calyptix delivers simple and powerful security to help small businesses meet these requirements. Here are just a few parts of PCI DSS that AccessEnforcer helps check o� your list:

PCI-DSS 1.1.4 Requirements for a �rewall at each Internet connection and between any demilitarized zone (DMZ) and the internal network zone.

AccessEnforcer sits on the edge of your network to control the connections and data that attempt to enter or leave. Its �rewall uses stateful packet inspection to monitor and control all live connections passed through it. Whether tra�c is attempting to enter, leave, or cross the system into DMZs or other LANs, you can easily control whether it is allowed or blocked.

PCI-DSS 1.2 Build �rewall and router con�gurations that restrict connections between untrusted networks and any system components in the cardholder data environment.

AccessEnforcer provides single-click implementation of port forwarding rules, outbound tra�c �ltering, and DMZ designations to create a security zone within the

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

network that limits or eliminates access to machines that store cardholder data. The simple setup allows low-level technicians to quickly and con�dently con�gure and isolate payment system components from untrusted networks.

The physically segregated network interface cards (NICs) for each LAN on the AccessEnforcer provide an added layer of physical segregation and reduce the possibility of improper con�gurations.

PCI-DSS 1.3 Prohibit direct public access between the Internet and any system component in the cardholder data environment.

With a simple click, AccessEnforcer allows you to designate a security zone to logically isolate machines that handle cardholder data. Whether you want to block them from the Internet, speci�c connections, or all connections, you can control access as you choose.

PCI-DSS 1.3.1 Implement a DMZ to limit inbound tra�c to only system components that provide authorized publicly accessible services, protocols, and ports.

AccessEnforcer allows you to quickly and easily set up DMZs so you can get online without exposing your cardholder data to threats.

PCI DSS 1.3.2 Limit inbound Internet tra�c to IP addresses within the DMZ.

AccessEnforcer allows you to easily activate multiple public IP addresses or aliases. With a single click, you can activate port forwarding rules to direct inbound public Internet tra�c to only the designated IP addresses for approved services in the DMZ.

PCI DSS 1.3.3 Do not allow any direct connections inbound or outbound for tra�c between the Internet and the cardholder data environment.

AccessEnforcer’s port forwarding and outbound �ltering rules allow for easy blocking of all inbound and outbound tra�c or allowing tra�c based on the source and/or destination address.

>>

>>

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

PCI DSS 1.3.4 Implement anti-spoo�ng measures to detect and block forged source IP addresses from entering the network.

AccessEnforcer provides anti-spoo�ng measures to detect and block tra�c from forged source IPs. When con�gured with an external or public IP address on any NIC, all inbound tra�c to the public-facing NIC from the Internet purporting to come from an internal or non-routable IP address is blocked.

PCI-DSS 1.3.5 Do not allow unauthorized outbound tra�c from the cardholder data environment to the Internet.

AccessEnforcer allows you to control the tra�c that attempts to leave your network. If a hacker tries to steal your cardholder data, then the outbound �ltering rules (when con�gured properly) will prevent the information from leaving.

PCI-DSS 1.3.6 Implement stateful inspection, also known as dynamic packet �ltering. (That is, only “established” connections are allowed into the network.)

AccessEnforcer uses stateful packet �ltering powered by OpenBSD at the core of its �rewall. It is one of many features that help detect and block attacks before they can cause harm. Stateful packet inspection maintains the status of each connection through the �rewall to ensure the response to a previous connection is a valid, authorized response and not malicious tra�c trying to trick the �rewall into allowing the connection.

PCI-DSS 1.3.7 Place system components that store cardholder data (such as a database) in an internal network zone, segregated from the DMZ and other untrusted networks.

Separate security zones or LANs can be easily established with AccessEnforcer to physically and logically segregate system components in the cardholder environment from untrusted and public-facing networks, such as the DMZ. The dedicated NICs for each LAN on the AccessEnforcer provide an added layer of physical segregation and reduce the possibility of improper con�gurations.

PCI DSS 1.3.8 Do not disclose private IP addresses and routing information to unauthorized parties.

>>

>>

>>

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

AccessEnforcer utilizes Network Address Translation (NAT) to obscure private IP addresses and routing information from the Internet. AccessEnforcer also has settings and techniques to further anonymize your �rewall selection to unauthorized parties. Activate the intrusion prevention system powered by SNORT® with the Dynamic Blacklist Mode for maximum protection to detect and block hackers’ attempts to conduct reconnaissance on your network with malicious network scans and probes (Snort is a registered trademark of Source�re, Inc.).

PCI DSS 2.1 Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing a system on the network.

AccessEnforcer does not use default or standard passwords. Each unit is built with a unique, randomly generated password that can be easily changed.

PCI-DSS 2.3 Encrypt all non-console administrative access using strong cryptography. Use technologies such as SSH, VPN, or SSL/TLS for web-based management and other non-console administrative access.

Remote administration of AccessEnforcer can only be achieved through secure socket layer (SSL) or transport layer security (TLS) connections. These connections provide security with strong encryption (2048-bit keys for SSL/TLS for current AccessEnforcer units) consistent with widely accepted best practices.

PCI-DSS 4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

AccessEnforcer uses SSL VPN to allow remote users to access the network with secure, encrypted connections. SSL VPN clients are generated from each unit with a unique SSL certi�cate for each client providing mutual authentication and strong encryption. IPSEC provides powerful encryption with 256-bit AES to secure connections between remote IT systems for retail sites, billing services, branch o�ces, payment processors, and service partners. These tools enable you to implement strong encryption of data during transmission.

Plus, AccessEnforcer provides powerful hardware to ensure blazing-fast speeds for encrypted tra�c without bogging down your other critical network tra�c.

>>

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

PCI-DSS 5.1 Deploy anti-virus software on all systems commonly a�ected by malicious software (particularly personal computers and servers).

AccessEnforcer’s email �ltering system uses a powerful antivirus engine called ClamAV to scan incoming emails and attachments for viruses and malware. Additional safeguards are available to detect and prevent malicious network tra�c by the Snort intrusion detection and prevention system and the web �ltering system for HTTP tra�c over port 80.

PCI-DSS 6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches. Install critical security patches within one month of release.

OpenBSD, the underlying operating system of AccessEnforcer, maintains an unparalleled track record with only two known vulnerabilities identi�ed in over 15 years that could have permitted remote execution in its default con�guration. Those vulnerabilities have been patched.

AccessEnforcer leverages the default con�guration of OpenBSD and receives daily automatic software updates with vendor-supplied patches, enhancements, and security signatures.

PCI DSS 8.1.5 Manage IDs used by vendors to access, support, or maintain system components via remote access.

To control or limit vendor access (or access by anyone else) to AccessEnforcer, all remote access may be easily disabled or limited to speci�c source IPs. Such remote access can be enabled only during the time period needed and disabled when not in use.

PCI-DSS 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.

AccessEnforcer allows you to con�gure the amount of idle time allowed before re-authentication is required. You can set it to 15 minutes or as short as you like.

>>

>>

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

PCI DSS 10.6.1 Review daily… logs of all servers and system components that perform security functions (for example, �rewalls, intrusion-detection sys-tems/intrusion-prevention systems (IDS/IPS), authentication servers, e-com-merce redirection servers, etc.).

AccessEnforcer generates detailed logs of security events for easy review and analysis, including daily PDF reports that can be emailed automatically to designated recipi-ents. Reports include network attack statistics based on �rewall settings, outbound �ltering settings, and the Snort intrusion detection and prevention system.

PCI-DSS 11.4 Use intrusion-detection and/or intrusion-prevention techniques to detect and/or prevent intrusions into the network. Monitor all tra�c at the perimeter of the cardholder data environment as well as at critical points in the cardholder data environment, and alert personnel to suspected compromises.

AccessEnforcer includes Snort, a widely used intrusion detection and prevention system to detect and block malicious tra�c. The Dynamic Blacklist Mode further blocks all tra�c from o�ending source IPs for 3 hours to prevent subsequent attacks.

The IPS/IDS rules are checked and updated every day automatically. Daily, weekly and monthly reports of network alerts generated by Snort and outbound �ltering rules can be automatically generated and emailed to proper personnel for regular review.

* * *

>>

>>

© 2014 Calyptix Security Corporation. All rights reserved info@calyptix.com

AccessEnforcer does more than help you achieve PCI DSS compliance – it secures your entire network.

Just remember there is no silver bullet. AccessEnforcer does not achieve compliance on its own. We encourage you to call us to discuss how AccessEnforcer can help you achieve compliance with your speci�c deployment.

Call us today or visit www.calyptix.com and you’ll see how easy it is to give your network the protection it needs.

Calyptix Security Corporation8701 Mallard Creek RoadCharlotte, NC 28262USA

Toll Free: (800) 650-8930Phone: (704) 971-8989Fax: (704) 971-8990Email: info@calyptix.com

References:1. http://usa.visa.com/download/merchants/franchise-data-compromise-trends-102610 .pdf?Nov032010

Simple and Powerful Network Securitythat Gets You Back to Business

Call us today or visit www.calyptix.com and you’ll see how easy it is to give your network the protection it needs.

Toll Free: (800) 650-8930

Phone: (704) 971-8989

Fax: (704) 971-8990

Email: info@calyptix.com

Calyptix makes network security simple for small- and medium-size businesses, helping them increase profit, control technology, and protect investments.

Our next-generation device, AccessEnforcer, safeguards the performance and integrity of your network so you can rest easy knowing that your company and reputation are secure.

Spam, spyware, and hackers are just a few of the many threats AccessEnforcer detects and blocks before they can infect your business. Daily security updates help stop the newest threats automatically, and network management tools help boost the availability of your critical systems, including your VoIP phones and cloud-based apps.

Do you have to comply with regulations like HIPAA for healthcare or PCI DSS for credit cards? AccessEnforcer helps you meet and exceed these standards. It’s always ready to protect your network so you can focus on what matters most: your business.

© 2014 Calyptix Security Corporation. All rights reserved. info@calyptix.com | (800) 650-8930

Calyptix Security Corporation5701 Westpark Drive, Suite 201

Charlotte, NC 28217

USA