GhostPorts has filled a gap in Linux and Windows firewalls; a cross-platform, flexible, and inexpensive way of providing temporary two factor authenticated access to a service. More practically, it lets us access sensitive servers without the need to open them up to the entire Internet.
One thing you might not have considered is that the same GhostPorts technology can help when you’re working through the Self Assessment Questionnaire for PCI.
How GhostPorts Can Help With PCI
Section 8 of the PCI requirements focuses on identity and authentication. In subsection 8.2 each user needs to have a password, token or smart card, or biometric authentication. GhostPorts supports both the Yubikey one-time password token and SMS one-time passwords; both are classified as “token or smart card”.
Section 8.3 recommends using two of these factors when allowing remote access to your network; a YubiKey or SMS one-time password plus a password – both are required to open GhostPorts – give 2 factor authentication. The beautiful part is that you need to provide both of those just to get to the server port. If the service you access via GhostPorts has its own authentication, you now need to provide 3 or more factors to get to that service. For those services that don’t have any authentication at all, you still get the two factors needed to reach the port with GhostPorts.
This protection can be used to protect any service port, such as traditional services like HTTP and HTTPS, remote access ports like SSH and RDP, file sharing ports like SMB and NFS, and all of the other 131,072 TCP and UDP ports.
In section 8.5.16 of the PCI questionnaire you’re asked to authenticate and restrict all database access to databases with cardholder data. GhostPorts not only allow you to limit access to just these people, but keep a log of when each user started and stopped their GhostPort session, allowing you to identify who might have had access in a given time period.
Vendor access to network resources is similarly restricted by sections 8.5.6 and 12.3.9. You can set up GhostPort access for your vendors and limit them to only specific services with GhostPorts.