PCI Compliance- Two Factor Authentication (2FA) for remote administrators

[rbngan]

I'm a volunteer remote administrator of a small network (I live 120 miles away and can not run down the hall to access the server). The current PCI requirements require any remote access to a network to use Two Factor Authentication (and is needed as evidenced by all the high profile security breaches due to insecure remote access) when connecting to any server on the same network as card data. I've been able to implement this in most all remote access except Untangle (btw OpenVPN is not considered remote per the PCI Standards so I'm not looking for 2FA with OpenVPN). I would like to be able to remote log into the web portal with 2FA to do the changes or updates needed. I often an out of the office when I have to log in. This has become such a high priority for PCI compliance (anyone without this is out of compliance and could be the next big story. When or how can this be implemented in the untangle web portal? I'm working with Duo Security now on a trial basis to see if this is the company I want to move forward with. Anyone have any suggestions on any easy ways to do this (no hacks as any updates may only break them). Anyone using 2FA now and have any suggestions on how to set this up? And finally, How can we have UT move to add the 2FA mandated PCI requirement to UT ver 11?

[jcoffin]

The PCI standards for two-factor authentication only effect remote access to a network through non-vpn methods.

[rbngan]

I'm accessing the web interface of Untangle through a non VPN method. It's HTTPS, but it is only one authentication factor. PCI compliance require two. Everywhere I find the following summary:

When is Two-Factor Authentication Required?

All remote access to the PCI network must utilize two-factor authentication. In simple terms, remote access can be interpreted as any connection or access that crosses public networks. If any of the networks between the access source and Cardholder Data Environment (CDE) are considered to be public, or owned and operated by another entity, then the access should be considered remote. Virtual Private Networks (VPN) technologies create some interesting exceptions, as they effectively cause remote networks to behave like local networks.

For the purposes of requirement 8.3, point-to-point VPN technologies can be considered local network access, and Remote Access (RA) or client VPN technologies should be considered as remote. In both cases, you may need additional review to ensure that the controls adequately meet the intent of the requirement to utilize two-factor authentication for remote access to the CDE.
- See more at: http://www.secureworks.com/resources....L2oBEs7T.dpuf

[sky-knight]

The admin login to the Untangle server doesn't provide access to the PCI network, merely the device itself.

If you choose to interpret it this way, you'll have no choice but to disable remote admin, and administrate the device via the VPN.

[rbngan]

It's not that I choosing to interpret it one way or the other.
Here are the facts
-We have card data processing on our network via IP so we have to be PCI compliant to PCI standard 8.3
-The UT box is on our network - It has access and permission to give access to any area of our network.
-All the data from the network runs through the UT box as it is our firewall and much more to the public WWW.
-Remote web access gives access to all the setting of that firewall and therefore can be the point of a security breach in which
2FA is designed to prevent.

How am I interpreting this incorrectly that UT is not on our network which has card data?

[jcoffin]

You have your answer for your PCI compliance. as sky-knight pointed out. " disable remote admin, and administrate the device via the VPN."

[rbngan]

Your work around will not work for me. VPN is not a solution for me. I'm on the road a lot and have to access the web management quickly. All other aspect of the network have 2FA except Untangle. Untangle's lack of 2FA makes my network non-PCI compliant since I need the web access. Does anyone else use UT in a Card Data environment? and if so have you found a way to use 2FA? 2FA access is a requirement for PCI, I've used Untangle for many years. Does Untangle intend to implement the PCI requirement of 2FA in a cardholder environment?.

[sky-knight]

Let me put this another way...

I know of no router, or router OS, that does two factor authentication for its management.

This includes Cisco. VPN is your only option if you wish to interpret it this way. The IPSec module in Untangle 10 has an l2tp terminator you can use without a client installation on Windows, MacOS, Android, and iOS.

Because again, the directive is in reference to accessing devices on the network in question. Technically speaking Untangle is on that network, but it's also an another network. So if you're after two factor for management, Untangle doesn't have it.

[dmorris]

Sure tons of people use Untangle is a card environment.

Remember though that you specifically changed the defaults such that you fail your test, most people probably don't do that.
(Well, you aren't actually failing, because as clearly explained the 2FA requirement does not apply in this case)

As stated, revert to defaults, install OpenVPN. Connect with openvpn then login to the administration. Connecting to OpenVPN is two clicks (on windows anyway). If this is too difficult because its not "quick" enough for you then it is unlikely that any additional authentication method would work either anyway.

FWIW, it seems like you don't really want help. Not sure what your goal here is. If you just wanted to submit a feature request/feedback - thanks. We hear you.

[RBoynton]

For the purposes of requirement 8.3, point-to-point VPN technologies can be considered local network access, and Remote Access (RA) or client VPN technologies should be considered as remote. In both cases, you may need additional review to ensure that the controls adequately meet the intent of the requirement to utilize two-factor authentication for remote access to the CDE.

Though I understand the need for PCI compliance (we go through the questionnaire each year too along with quarterly scans), it is almost funny how these folks want us to dink around with this while hackers are accessing the data directly from back-end servers. It is like being scrutinized by TSA at the airport while our boarders are wide open. Go figure...