Nortel Network Hardening for PCI Compliance...?

[Alejo_NIN]

Has anyone had to do this with a nortel network?
we are a hotel and will have to harden our security on switches.
we have a PCI network with about 30 nortel switches (4548's,5510's and the casual 470 here and there with a 8600 as the core router)
so far i've done the following for hardening:
syslogs are being handle by Solutionary (3rd party company)
all switches have SSH enabled
Telnet has been disabled
Radius has been setup without accounting (gotta figure how to do that next)
Radius will be logging to Solutionary as well
SNTP server has been setup

Anything else i should do?

thanks in advance for your help!
i love this site!

[Flintstone]

Hi Alejo_NIN,

Are you using Radius for port authentication/802.1x?

CheerZ

[MisterAG]

You've also go to make sure that your configurations are backed up and reviewed constantly. RANCID or Solarwinds Orion NCM can review the configuration files and compare the existing file versus the baseline to act as a change review system.

[Alejo_NIN]

i forgot to mention that i am using Solar Winds 

i have setup the following on solar winds:
configuration back up

i will have to study more for configuration comparison and baselining.

as for the ports, no, we are not using port authentication.....will have to find out if it is required.

[serhenry]

Hello ,
normally an AUDIT should be done by Nortel/Avaya to review the VLAN/Routing configurations and users access (if 802.1x) to make sure that departement(s) are isolated each other (unless connexin requiered)
Also a security engineer should verify no ports are left opened.

Regards / Serge

[janpopovic]

Hi Alejo,
Please check the website of My Hotel IT (direct link goo.gl/cjQeL), the company provides network hardening / change of vendor defaults for PCI compliance as a service and does also support Nortel.

[Dominik]

Hi Alejo,

there are some additional features that you should consider for harden the security of your swithes:

-ACLs for the managment. (ipmgr)
-DHCP Snooping
-IP Source Guard
-ARP Inspection
-MAC Security

I would also recommand to use SNMPv3 instead of SNMP v1/v2.

Good Luck

[Irishbanker]

Hi,
we are going through the same process as well.
Very little information on Avaya and Nortel sites regarding this but there are some release notes for the 55xx and 8600 most of which has been advised here.
with regards to PCI compliance, there are guidelines but it really is up to yourself as to the level you want to go to and of course what your Security department require, most of whom would prefer if we didnt switch the network equipment on !

It really is a never ending task, because we would take CC details over the phone we now have to look at encrypting all voice traffic, all traffic from clients to servers and our backend has to be encripted as well, when our agent wants to verify the CC details from a customer a computer program kicks in to read it back to the customer so the agent does not read it aloud!!!
Hopefully we will soon be getting a few of those Gizmo`s from "Men in Black" that we can wipe the agents memory at the end of the day so they dont store CC info in their head.!!!

[Alejo_NIN]

thahks guys
i will discuss with my Security Engineer.