To address requirement 1.3.4 in a small IT environment, can server virtualization be used in conjunction with a multi-interface firewall to create segmented network zones on a single server?

I would say that server virtualization can be used in the situation you describe to create a separate zone/segment as long as you use either a physically separate NIC or separate NIC on a multi-NIC card in the server to physically separate the network connections between the two servers and any management network you might have implemented. The sharing of NICs between VMs can be a potential attack point.

In addition, I would also recommend the use of a monitoring solution on both logical servers AND the host (if running the hypervisor on top of a commercial OS). This can be a Host IDS/IPS solution or TripWire or other similar file monitoring solution.

I would also make sure that the Shared Folders or any other VM communication options are NOT enabled between the virtual servers, the host and/or each other.

Thanks very much for the prompt and clear response.

Any guidance on firewall solutions? My client is now using Juniper / NetScreen devices, but needs to upgrade, and would be open to changing to another manufacturer's equipment.

I would say that server virtualization can be used in the situation you describe to create a separate zone/segment as long as you use either a physically separate NIC or separate NIC on a multi-NIC card in the server to physically separate the network connections between the two servers and any management network you might have implemented. The sharing of NICs between VMs can be a potential attack point.

In addition, I would also recommend the use of a monitoring solution on both logical servers AND the host (if running the hypervisor on top of a commercial OS). This can be a Host IDS/IPS solution or TripWire or other similar file monitoring solution.

I would also make sure that the Shared Folders or any other VM communication options are NOT enabled between the virtual servers, the host and/or each other.

In my opinion I would have to look very closely at a non-enterprise ready virtualization platform (VMWare Server vs. VMWare ESX) for PCI compliance. ESX is an enterprise solution that, if deployed properly, can produce compliant virtual servers as long as the virtualization management platform is fully compliant as well.

As far as the nic issue is concerned -- in an enterprise deployment multiple vmware images will share the same nic (in almost all cases). This is done through 802.1q and is used in just about every enterprise data center out there. It is the same technology that allows spanning of vlans over multiple switches.

The important item from a PCI assessment perspective is to ensure that if 2 vm's on the same host machine are supposed to be segmented by a firewall, that the traffic will exit the host machine and go through a firewall, and enter the host machine again. You will have to show the virtual switch configuration as well as the physical switch conf to prove this.

Hope this helps!

~matt

Remember, not every organization can afford or justify VMware ESX as a solution nor do they all use VMware as their solution. We have a lot of clients running VMware GSX and Workstation on a Linux host environment, so one cannot always assume an ESX environment. And while VMware controls a large part of the virtualization market, it's not the only player, so my answer also included my limited experience with Xen and Virtual Iron.

In regard to firewalls, there are boatloads of solutions out there. The key is to make sure that they perform stateful inspection, can segregate traffic and can meet all of the other requirements in section 1 of the PCI DSS. Personally, I have a preference for Cisco PIX and Checkpoint, but that's because that's what I'm familiar with because I 'grew up' with them.

Depending on the virtualization solution (VMWare, VirtualPC, VirtualServer, etc.), one still will need to make sure that the host OS is in fact kept secure and all patched up.

A virtualized system with a non-protected host OS is in may ways worse off then a system traditionally configured.

Virtualization can be a powerful security tool, but done wrong, and you can be a world of hurt. Based on its nature, and the lack of general acceptance (security industry scrutiny that is), I would be cautious.