Cisco PCI Solution for Retail Design and Implementation Guide - Solution Architecture [Design Zone for Retail]

Table Of Contents

Solution Architecture

Applications and Partner Services

Application Networking Services

Infrastructure Services

Network Systems Layer

Retail Store Network Designs

Small Store

Primary Design Requirements

Overview and Description

Advantages

Limitations

Medium Store

Primary Design Requirements

Overview and Description

Advantages

Limitations

Large Store

Primary Design Requirements

Overview and Description

Advantages

Limitations

Data Center

Primary Design Requirements

Overview and Description

WAN Aggregation

Core

Services (Edge) Aggregation

Server Access Layer

Storage

Advantages

Limitations

Internet Edge

Primary Design Requirements

Overview and Description

Solution Architecture

The architecture for the Cisco PCI Solution for Retail is based on Cisco 's Connected Retail, which is a Service-Oriented Network Architecture (SONA). For more information on SONA and Cisco Connected Retail, refer to the following URL:

http://www.cisco.com/go/retail

The Cisco Connected Retail reference designs serve as the foundation of the network systems layer. These network designs exhibit best practices for small, medium, and large retail store networks as well as data center and Internet networks. (See Figure 2-1.)

Figure 2-1 Cisco PCI Solution for Retail SONA Framework

Applications and Partner Services

The top layer of the SONA framework includes the retail applications and services that are part of the Cisco PCI Solution for Retail. These include point-of-sale, payment, and encryption applications. Some of these applications use popular middleware services based on J2EE, .NET, or other systems. The Cisco Connected Retail and the shared network services approach allow these various Service-Oriented Architecture (SOA) environments to share the same infrastructure services across multiple retail network topologies. Finally, the right side of the Application Layer includes the professional services that retailers must employ as part of the PCI process. Annual audits, network scans, and remediation services are necessary services that complete the Cisco PCI Solution for Retail framework.

Application Networking Services

Application services are the connection from the business applications to the shared services of the infrastructure services layer. This is where filtering, caching, load balancing and protocol optimization interact with applications or application middleware services to optimize the performance from the source of data to the end user.

Application delivery services in this solution include server load-balancing and content filtering features that Cisco IOS routers or Cisco Application Control Engines (ACEs) perform.

Infrastructure Services

Process control is simplified by using common infrastructure services for security, mobility, identity, and management. These are key advantages that aid in operational reporting and the policy requirements of achieving PCI compliance. Fewer services that are shared across more intelligent devices increases the operational efficiency of the whole system.

•Security services are used extensively in the PCI Solution for Retail architectures. These services are a combination of security features shared across multiple physical devices, central management in the data center, and virtual access to the security control plane from anywhere in the retail network.

•Firewall services are used in the ISR, Firewall Service Module (FWSM) and Adaptive Security Appliance (ASA) securing both application and interface services.

•Intrusion Detection and Prevention systems (IDS/IPS) are used across the Cisco ISR, ASA, Intrusion Detection System Services Module 2 (IDSM2), Unified Wireless Network (UWN), and Cisco Security Agent (CSA) at the point-of-sale (POS) host and server levels. The combination of these systems is centrally managed through the Cisco management applications in the data center. Again, distributed access to the IDS/IPS control plane of the system is available from anywhere on the retail network.

•Monitoring, Analysis and Remediation data is correlated by the centralized event correlation applications in the data center. The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) not only does correlation and monitoring, but it can also remediate network attacks dynamically or through reactive alarm notifications. The CiscoWorks Network Compliance Manager (C-NCM) can enforce PCI policy on devices it monitors.

•Mobility services are another important area in the solution. Retailers are demanding support for mobile POS and inventory applications operating on handheld computers or mobile POS kiosks. The Cisco UWN supports a very scalable set of wireless LAN (WLAN) systems ranging from single access points to systems connecting thousands of access points as a single, centrally managed domain. The retail store networks use various WLAN systems, depending on the requirements of the store category.

•Identity services are used to help ensure that authenticated and authorized users are allowed access to retail network systems. The Cisco Secure Access Control Server (CS-ACS) provides the central management of the RADIUS and TACACS+ systems configured on each network device throughout the architecture. A central LDAP-based directory service enhances CS-ACS in helping it meet the requirements of PCI. The use of a distributed network time service helps to ensure consistent synchronization of network and application events, and allows better correlation of events.

•Management Systems are used across all the devices, applications, and services throughout the architecture. Network systems are managed with the LAN Management System (C-LMS) (configurations and administrative elements). The Cisco Security Manager (CS-M) manages the security elements of the devices so that a security department has independent control that is outside of the IT network systems team. The CiscoWorks Network Compliance Manager (C-NCM) can work with C-LMS to report on which devices are within compliance guidelines and which ones are not. For the ones that are not meeting guidelines, C-NCM can restore configurations and permit users to enforce configuration mandates.

Wireless systems are managed with the Cisco Wireless Control System (WCS). These systems include configurations, administrative elements, and security services.

RSA data security applications use specific management tools in this architecture. RSA file security manager manages file encryption services on hosts and servers with payment data. RSA enVision is used to monitor and log events associated with RSA SecurID-based two-factor authentication in this solution.

Network Systems Layer

Network virtualization services are built into the architecture. For example, the Cisco ISR in each store network design virtualizes the security, routing, and identity services that many separate network appliances perform in legacy retail network architectures. Virtualization is also a key feature of the Cisco Unified Wireless systems in each store topology that manage the wireless infrastructure holistically rather than at each access point. The wireless system dynamically tunes and heals itself based on inputs from the central management system. The combined group of network systems in each store reference design is also feeding data to the central network and security monitoring system. This virtualization of the entire enterprise allows the central correlation of events to drive proactive and adaptive techniques to make the overall retail environment more secure.

•Path Isolation is a key component of network virtualization. The Cisco PCI Solution isolates point-of-sale and network control traffic from other types of network traffic using VLANs, multiple WLAN SSID domains, and a private Frame Relay network from the stores to the data center centralized management. Other techniques can also be used to isolate sensitive traffic and are covered in detail in the Enterprise Network Virtualization design guides that can be found at the following URL:

http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor7

•Services Edge is where the Cisco Connected Retail infrastructure services connect to the physical world of the network infrastructure. In this area, firewall, policy enforcement, and policy management services are constructed to control service access between the store POS domain, other in-store LAN domains, and the WAN connection to remote services. The data center and Internet edge each use services edge to aggregate integrated infrastructure services and affect all traffic coming through these parts of the designs.

Retail Store Network Designs

Small Store

The small store network scenario, shown in Figure 2-2, meets the following design requirements.

Primary Design Requirements

•Store size averages between 2000-6000 square feet

•Fewer than 25 devices requiring network connectivity

•Single router and integrated Ethernet switch

•Preference for integrated services within fewer network components because of physical space requirements

•Wireless connectivity

Figure 2-2 Cisco PCI Solution for Retail—Small Store Network Design

Overview and Description

The small store reference architecture is a powerful platform for running an enterprise retail business that requires simplicity and a compact form factor. This combination appeals to many different retail formats that can include the following:

•Mall-based retail stores

•Quick-serve restaurants

•Convenience stores

•Fuel stations

•Specialty shops

•Discount retailers who prefer network simplicity over other factors

This network architecture is widely used and consolidates many services into fewer infrastructure components. The small store also supports a variety of retail business application models because an integrated Ethernet switch supports high-speed LAN services. In addition, an integrated Content Engine supports centralized application optimization requirements such as Web Cache Communications Protocol (WCCP)-based caching, pre-positioning of data, local media streaming, and other application velocity services.

Advantages

•Lower cost per store

•Fewer parts to spare

•Fewer software images to maintain

•Lower equipment maintenance costs

Limitations

•Decreased levels of network resilience

•Greater potential downtime because of single points of failure

Medium Store

The medium store network scenario, shown in Figure 2-3, meets the following design requirements.

Primary Design Requirements

•Store size averages between 6,000-18,000 square feet

•Physical size store of the is smaller than a large store, so a distribution layer of network switches is not required

•Number of devices connecting to the network averages 25-100 devices

•Redundant LAN and WAN infrastructures

•Wireless connectivity

Figure 2-3 Cisco PCI Solution for Retail—Medium Store Network Design

Overview and Description

The medium retail store reference architecture is designed for enterprise retailersbusinesses that require network resilience and increased levels of application availability over the small store architecture and its single-threaded, simple approach. As more mission-critical applications and services converge onto the IP infrastructure, network uptime and application availability are more important. The dual-router and dual-LAN switch design of the medium store supports these requirements. Each of the ISR routers can run IOS security services and other store communication services simultaneously. Each of the ISR routers is connected to a dedicated WAN connection. Hot-Standby Routing Protocol (HSRP) is used to ensure network resilience in the event that the network connection fails.

The access layer of the network offers enhanced levels of flexibility and more access ports compared to the small store. Up to 12 wireless access points can be installed in the store (supported by the WCS controller as tested and without adding more controllers). The distributed Cisco Catalyst switches can support a combination of larger physical buildings or a larger number of endpoints than the small store.

Advantages

•More adaptive access layer with support for a greater number of endpoints and more diverse building requirements (multiple floors, sub-areas, and so on)

•Improved network resilience through parallel device design

•Improved network and application availability through parallel paths

Limitations

•No distribution layer between core layer (the ISR) and the access layer switches

•Single WCS Controller decreases in-store resilience of the wireless network; the recommendation is to have store APs fallback to central WCS controller if local WCS controller fails, or install dual-local WCS controllers.

Large Store

The store large branch network scenario, shown in Figure 2-4, meets the following design requirements.

Primary Design Requirements

•Store size averages between 15,000-150,000 square feet

•More than 100 devices per store requiring network connectivity

•Multiple routers for primary and backup network requirements

•Preference for a combination of network services distributed within the store to meet resilience and application availability requirements

•Tiered network architecture within the store; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints (POS, wireless APs, servers)

Figure 2-4 Cisco PCI Solution for Retail—Large Store Network Design

Overview and Description

The large retail store reference architecture takes some of the elements of Cisco campus network architecture recommendations and adapts them to a large retail store environment. Network traffic can be better segmented (logically and physically) to meet business requirements. The distribution layer of the large store architecture can greatly improve LAN performance while offering enhanced physical media connections (that is, fiber and copper for connection to remote access layer switches and wireless access points). A larger number of endpoints can be added to the network to meet business requirements. This type of architecture is widely used by large format retailers globally. Dual routers and distribution layer media flexibility greatly improve network serviceability because the network is highly available and scales to support the large retail store requirements. Routine maintenance and upgrades can be scheduled and performed more frequently or during normal business hours because of parallel path design.

Advantages

•Highest network resilience based on highly available design

•Port density and fiber density for large retail locations

•Increase segmentation of traffic

•Scalable to accommodate shifting requirements in large retail stores

Limitations

•Higher cost because of network resilience based on highly available design

These retail store network designs are capable of helping a retailer achieve PCI compliance, and also serve as the scalable platform for new services and applications that embody the Cisco Connected Retail.

Data Center

Figure 2-5 shows the data center solution design.

Figure 2-5 Typical Retail Enterprise Data Center Design

Primary Design Requirements

•A scalable, highly available repository of business application data and compute servers.

•WAN aggregation layer that securely connects store networks via public or private networks.

•IPSec encryption is required for store networks connected via public networks.

•A high performance core network between WAN aggregation and the service aggregation layer.

•Aggregated network services between the core and server access layer.

•A server access layer that securely connects business and solution management servers to other data center resources.

•A storage area network layer that securely connects storage resources to other resources in the data center.

Overview and Description

For the purpose of this document, the data center is split into five areas: WAN aggregation, core, services aggregation, server access, and storage. The core, services aggregation, and server access tiers of the multi-tier data center architecture was based on the design documented in the Cisco Data Center Infrastructure Design Guide 2.5, which can be found at the following URL:

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5/DCI_SRND_2_5_book.html

The WAN aggregation architecture is based on the Infrastructure Protection and Security Service Integration Design for the Next Generation WAN Edge v 2.0, which can be found at the following URL:

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSNGWAN.html

WAN Aggregation

The WAN aggregation layer is a transit network that aggregates the connections from the retail stores, and enterprise branch office LANs via a private or public service provider network. The WAN aggregation layer does not directly connect end users in the HQ, campus or regional branches; rather, it provides connectivity for the store LANs to connect to the data center core network and its resources.

The WAN edge devices are Cisco routers which should not also be used as the Internet gateways for the data center network. This recommendation is based on segmentation and typical throughput requirements for the store WAN. If VoIP is transported between the stores and enterprise network, voice quality issues related to the ability to guarantee bandwidth to store connectivity is another concern. Additionally, redundancy, store-backup networks, and overall network security-related concerns would limit the scope of the WAN aggregation to the function of connecting the store networks to the data center.

At the WAN aggregation layer, interior to the WAN edge routers, a dedicated firewall appliance is used to secure incoming WAN traffic and to terminate store VPN connections. This design provides the highest scalability. Many Cisco routers also support the IOS security software option which includes a firewall feature. Cisco recommends the use of the Cisco IOS Security feature set in stores, branches and teleworker deployments, because of a much lower number of users and connection rates than at the store WAN aggregation headend location.

There are two typical WAN speeds categories for a WAN aggregation network: less than and up to OC3 (155 Mbps) and OC12 (622 Mbps) and above. The choice of these two network speeds determines the platform set to select from Cisco. In addition, this design creates two profiles for each WAN speed. These profiles are designed to provide guidance when designing a WAN edge network regardless of which enterprise WAN architecture is selected. The profiles for each WAN speed investigate integrated versus dedicated chassis for each functionality component as highlighted in the previous section. Some customers prefer a highly integrated solution where most, if not all, of the WAN edge functions described in this document reside on a single or very few network devices. Other customers prefer the granularity and scalability of these same functions separated across multiple network devices.

Figure 2-6 Data Center —WAN Aggregation Alternatives

Core

The core layer provides the high-speed packet switching backplane for all flows going in and out of the data center. The core layer provides connectivity to multiple aggregation modules and provides a resilient Layer 3 routed fabric with no single point of failure. The core layer runs an interior routing protocol, such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP), and load balances traffic between the campus core and aggregation layers using the Cisco Express Forwarding (CEF)-based hashing algorithms.

Services (Edge) Aggregation

The services aggregation layer modules provide important functions, such as service module integration, Layer 2 domain definitions, spanning tree processing, and default gateway redundancy. Server-to-server multi-tier traffic flows through the aggregation layer and can use services, such as firewall and server load balancing, to optimize and secure applications. The service modules provide services, such as content switching, firewall, SSL offload, intrusion detection, network analysis, and more. Figure 2-7 illustrates a characterized view of the service aggregation layer.

Figure 2-7 Conceptual Service Aggregation Layer

This is a conceptual example of a single Cisco Catalyst 6500 switch and service modules. Cisco's data center reference architectures recommend pairs of service aggregation switches to meet typical high-availability requirements of the server access or storage layers.

Server Access Layer

The server access layer is where the servers physically attach to the network. In typical data centers, the server components consist of 1RU servers, blade servers with integral switches, blade servers with pass-through cabling, clustered servers, and mainframes with OSA adapters. The access layer network infrastructure consists of modular switches, fixed configuration 1 or 2RU switches, and integral blade server switches. Switches provide both Layer 2 and Layer 3 topologies, fulfilling the various server broadcast domain or administrative requirements.

The solution management servers connect to the network in this layer. This way they are centralized, segmented from other business application servers, and protected by firewall services from the service aggregation layer above. Business servers, consisting of POS transaction log servers, database, and data warehouse servers would also exist at this layer but would be segmented via separate VLANs and firewall policy.

Storage

A combination of the file encryption provided by the RSA File Security Manager product, fiber-channel zoning, and Logical Unit (LUN) masking/zoning as provided by the Cisco family of multi-layer director switches (MDS) were used in the storage implementation of this solution to deliver encryption and restricted access to cardholder data at rest in the datacenter. By deploying zoning within a Fibre Channel fabric, device access is limited to devices within the zone. This allows the user to segregate devices based on access to a particular storage device (disk array). This is generally an absolute requirement when dealing with a datacenter environment in which multiple file servers in the datacenter server farm are connected to the same SAN fabric and access to cardholder data must be restricted to a subset of servers. LUN masking takes zoning beyond the fiber-channel, switch port level by allowing for the restricted access to specific logical units on a given disk array such that only specific devices belonging to the LUN zone will be able to access those sections of the disk.

Figure 2-8 Data Center Storage Area Networking

Advantages

•Standardized equipment and software images, deployed in a modular, layered approach, simplifies configuration management and increases the systems availability.

•Highly available data center design permits highly resilient access from stores to core data and storage services.

•WAN aggregation alternatives allow flexible selection of service provider network offerings.

•Service aggregation design allows for a modular approach to adding new access layers and managing shared network services (FW, IDS, application networking, wireless management, etc.).

•Firewall, IDS and application networking services are available at all layers of the data center.

•Scalable to accommodate shifting requirements in data center compute and storage requirements.

•Centralized solution management support all aspects of network, security and systems management and supports remote access from anywhere on the network.

Limitations

•WAN access speeds are typically the limiting factor between the store network systems and the WAN aggregation layer.

•It is typical for retailers to over-subscribe the WAN circuits between the stores and the WAN edge aggregation router. Over-subscription can cause inconsistent results and packet loss of payment card information in the event that more traffic enters the WAN circuit simultaneously. QoS guidelines to classify payment card traffic as critical are recommended.

•Backup network connections from store networks to the data center are recommended when payment card information is transported via the WAN. These options are not covered in this design guide as they are not a requirement to meet PCI guidelines.

Internet Edge

The Internet edge solution architecture is listed in Figure 2-9.

Figure 2-9 Typical Internet Edge Architecture

Primary Design Requirements

•An enterprise connection to Internet.

•Securing the Internet edge design using Cisco firewall and intrusion detection systems.

•Protecting enterprise network against web attacks.

•Dual-threaded design for network resiliency.

•Collapsed Internet edge and extranet network for a highly centralized and integrated edge network.

•Remote VPN access to enterprise users/telecommuters.

Overview and Description

The solution uses a collapsed Internet edge and extranet network to support Internet connectivity and business partner connectivity. This design takes into account best practices from the in Data Center Networking: Internet Edge Design Architecture Design Guide (http://www.cisco.com/go/designzone) and customizes these recommendations for Retail a business Internet edge and extranet network. The edges connects Internet services to the complete enterprise environment (i.e., from headquarters to Internet service providers (ISP), branch office connections that use Cisco secure VPN to connect to headquarters. The collapsed design provides highly centralized and integrated edge networks and transports the aggregated traffic through different service modules (Cisco ACE, Cisco FWSM and Cisco IDSM2) within a pair of Cisco Catalyst 6500 switch chassis. The design provides protection and defense against XML threats using the Cisco ACE AXL Gateway. The Internet edge provides the following security functions:

•Secure configurations and management.

•IP anti-spoofing.

•Access Control Lists (ACLs) provide explicitly permitted and/or denied IP traffic that may traverse between inside, outside, and Demilitarized Zone (DMZ).

•Stateful inspection—Provide the ability to establish and monitor session states of traffic permitted to flow across the Internet edge and deny that traffic which fails to match the expected state of an existing or allowed sessions.

•Intrusion detection using Cisco IDSM2—Provides ability to promiscuously monitor traffic across discrete points within the Internet edge and alarm and/or take action detecting suspect behavior that may threaten the enterprise network.

•Demilitarized Zone (DMZ)—Applications servers that need to be directly accessed from the Internet are placed in a quasi-trusted secure area between the Internet and the internal enterprise network. This allows internal hosts and Internet hosts to communicate with servers in the DMZ.

Advantage

•Collapsed architecture

•Highly available design

•Firewall and intrusion detection capabilities in a single chassis

Disadvantage

•Complexity in configuration.

Chapter 3, "Solution Components—Best Practices and PCI," provides the mapping between specific Cisco solution components and the required PCI elements to meet QSA audit requirements.

	Cisco PCI Solution for Retail Design and Implementation Guide
	Solution Architecture
Cisco PCI Solution for Retail Design and Implementation Guide Preface Solution Overview Solution Architecture Solution Components—Best Practices and PCI Implementing and Configuring the Solution Bill Of Materials of Devices for Branch Stores Data Center/Internet Edge Components and Versions Application Protocols Detailed Implementation and Configuration Steps Device Configurations Report on Compliance (ROC) Verizon Business Assessment for: Cisco PCI Solution for Retail Glossary	Download this chapter Solution Architecture Download the complete book Cisco PCI Solution for Retail Design and Implementation Guide (PDF - 8 MB) Table Of Contents Solution Architecture Applications and Partner Services Application Networking Services Infrastructure Services Network Systems Layer Retail Store Network Designs Small Store Primary Design Requirements Overview and Description Advantages Limitations Medium Store Primary Design Requirements Overview and Description Advantages Limitations Large Store Primary Design Requirements Overview and Description Advantages Limitations Data Center Primary Design Requirements Overview and Description WAN Aggregation Core Services (Edge) Aggregation Server Access Layer Storage Advantages Limitations Internet Edge Primary Design Requirements Overview and Description Solution Architecture The architecture for the Cisco PCI Solution for Retail is based on Cisco 's Connected Retail, which is a Service-Oriented Network Architecture (SONA). For more information on SONA and Cisco Connected Retail, refer to the following URL: http://www.cisco.com/go/retail The Cisco Connected Retail reference designs serve as the foundation of the network systems layer. These network designs exhibit best practices for small, medium, and large retail store networks as well as data center and Internet networks. (See Figure 2-1.) Figure 2-1 Cisco PCI Solution for Retail SONA Framework Applications and Partner Services The top layer of the SONA framework includes the retail applications and services that are part of the Cisco PCI Solution for Retail. These include point-of-sale, payment, and encryption applications. Some of these applications use popular middleware services based on J2EE, .NET, or other systems. The Cisco Connected Retail and the shared network services approach allow these various Service-Oriented Architecture (SOA) environments to share the same infrastructure services across multiple retail network topologies. Finally, the right side of the Application Layer includes the professional services that retailers must employ as part of the PCI process. Annual audits, network scans, and remediation services are necessary services that complete the Cisco PCI Solution for Retail framework. Application Networking Services Application services are the connection from the business applications to the shared services of the infrastructure services layer. This is where filtering, caching, load balancing and protocol optimization interact with applications or application middleware services to optimize the performance from the source of data to the end user. Application delivery services in this solution include server load-balancing and content filtering features that Cisco IOS routers or Cisco Application Control Engines (ACEs) perform. Infrastructure Services Process control is simplified by using common infrastructure services for security, mobility, identity, and management. These are key advantages that aid in operational reporting and the policy requirements of achieving PCI compliance. Fewer services that are shared across more intelligent devices increases the operational efficiency of the whole system. •Security services are used extensively in the PCI Solution for Retail architectures. These services are a combination of security features shared across multiple physical devices, central management in the data center, and virtual access to the security control plane from anywhere in the retail network. •Firewall services are used in the ISR, Firewall Service Module (FWSM) and Adaptive Security Appliance (ASA) securing both application and interface services. •Intrusion Detection and Prevention systems (IDS/IPS) are used across the Cisco ISR, ASA, Intrusion Detection System Services Module 2 (IDSM2), Unified Wireless Network (UWN), and Cisco Security Agent (CSA) at the point-of-sale (POS) host and server levels. The combination of these systems is centrally managed through the Cisco management applications in the data center. Again, distributed access to the IDS/IPS control plane of the system is available from anywhere on the retail network. •Monitoring, Analysis and Remediation data is correlated by the centralized event correlation applications in the data center. The Cisco Security Monitoring, Analysis, and Response System (CS-MARS) not only does correlation and monitoring, but it can also remediate network attacks dynamically or through reactive alarm notifications. The CiscoWorks Network Compliance Manager (C-NCM) can enforce PCI policy on devices it monitors. •Mobility services are another important area in the solution. Retailers are demanding support for mobile POS and inventory applications operating on handheld computers or mobile POS kiosks. The Cisco UWN supports a very scalable set of wireless LAN (WLAN) systems ranging from single access points to systems connecting thousands of access points as a single, centrally managed domain. The retail store networks use various WLAN systems, depending on the requirements of the store category. •Identity services are used to help ensure that authenticated and authorized users are allowed access to retail network systems. The Cisco Secure Access Control Server (CS-ACS) provides the central management of the RADIUS and TACACS+ systems configured on each network device throughout the architecture. A central LDAP-based directory service enhances CS-ACS in helping it meet the requirements of PCI. The use of a distributed network time service helps to ensure consistent synchronization of network and application events, and allows better correlation of events. •Management Systems are used across all the devices, applications, and services throughout the architecture. Network systems are managed with the LAN Management System (C-LMS) (configurations and administrative elements). The Cisco Security Manager (CS-M) manages the security elements of the devices so that a security department has independent control that is outside of the IT network systems team. The CiscoWorks Network Compliance Manager (C-NCM) can work with C-LMS to report on which devices are within compliance guidelines and which ones are not. For the ones that are not meeting guidelines, C-NCM can restore configurations and permit users to enforce configuration mandates. Wireless systems are managed with the Cisco Wireless Control System (WCS). These systems include configurations, administrative elements, and security services. RSA data security applications use specific management tools in this architecture. RSA file security manager manages file encryption services on hosts and servers with payment data. RSA enVision is used to monitor and log events associated with RSA SecurID-based two-factor authentication in this solution. Network Systems Layer Network virtualization services are built into the architecture. For example, the Cisco ISR in each store network design virtualizes the security, routing, and identity services that many separate network appliances perform in legacy retail network architectures. Virtualization is also a key feature of the Cisco Unified Wireless systems in each store topology that manage the wireless infrastructure holistically rather than at each access point. The wireless system dynamically tunes and heals itself based on inputs from the central management system. The combined group of network systems in each store reference design is also feeding data to the central network and security monitoring system. This virtualization of the entire enterprise allows the central correlation of events to drive proactive and adaptive techniques to make the overall retail environment more secure. •Path Isolation is a key component of network virtualization. The Cisco PCI Solution isolates point-of-sale and network control traffic from other types of network traffic using VLANs, multiple WLAN SSID domains, and a private Frame Relay network from the stores to the data center centralized management. Other techniques can also be used to isolate sensitive traffic and are covered in detail in the Enterprise Network Virtualization design guides that can be found at the following URL: http://www.cisco.com/en/US/netsol/ns656/networking_solutions_design_guidances_list.html#anchor7 •Services Edge is where the Cisco Connected Retail infrastructure services connect to the physical world of the network infrastructure. In this area, firewall, policy enforcement, and policy management services are constructed to control service access between the store POS domain, other in-store LAN domains, and the WAN connection to remote services. The data center and Internet edge each use services edge to aggregate integrated infrastructure services and affect all traffic coming through these parts of the designs. Retail Store Network Designs Small Store The small store network scenario, shown in Figure 2-2, meets the following design requirements. Primary Design Requirements •Store size averages between 2000-6000 square feet •Fewer than 25 devices requiring network connectivity •Single router and integrated Ethernet switch •Preference for integrated services within fewer network components because of physical space requirements •Wireless connectivity Figure 2-2 Cisco PCI Solution for Retail—Small Store Network Design Overview and Description The small store reference architecture is a powerful platform for running an enterprise retail business that requires simplicity and a compact form factor. This combination appeals to many different retail formats that can include the following: •Mall-based retail stores •Quick-serve restaurants •Convenience stores •Fuel stations •Specialty shops •Discount retailers who prefer network simplicity over other factors This network architecture is widely used and consolidates many services into fewer infrastructure components. The small store also supports a variety of retail business application models because an integrated Ethernet switch supports high-speed LAN services. In addition, an integrated Content Engine supports centralized application optimization requirements such as Web Cache Communications Protocol (WCCP)-based caching, pre-positioning of data, local media streaming, and other application velocity services. Advantages •Lower cost per store •Fewer parts to spare •Fewer software images to maintain •Lower equipment maintenance costs Limitations •Decreased levels of network resilience •Greater potential downtime because of single points of failure Medium Store The medium store network scenario, shown in Figure 2-3, meets the following design requirements. Primary Design Requirements •Store size averages between 6,000-18,000 square feet •Physical size store of the is smaller than a large store, so a distribution layer of network switches is not required •Number of devices connecting to the network averages 25-100 devices •Redundant LAN and WAN infrastructures •Wireless connectivity Figure 2-3 Cisco PCI Solution for Retail—Medium Store Network Design Overview and Description The medium retail store reference architecture is designed for enterprise retailersbusinesses that require network resilience and increased levels of application availability over the small store architecture and its single-threaded, simple approach. As more mission-critical applications and services converge onto the IP infrastructure, network uptime and application availability are more important. The dual-router and dual-LAN switch design of the medium store supports these requirements. Each of the ISR routers can run IOS security services and other store communication services simultaneously. Each of the ISR routers is connected to a dedicated WAN connection. Hot-Standby Routing Protocol (HSRP) is used to ensure network resilience in the event that the network connection fails. The access layer of the network offers enhanced levels of flexibility and more access ports compared to the small store. Up to 12 wireless access points can be installed in the store (supported by the WCS controller as tested and without adding more controllers). The distributed Cisco Catalyst switches can support a combination of larger physical buildings or a larger number of endpoints than the small store. Advantages •More adaptive access layer with support for a greater number of endpoints and more diverse building requirements (multiple floors, sub-areas, and so on) •Improved network resilience through parallel device design •Improved network and application availability through parallel paths Limitations •No distribution layer between core layer (the ISR) and the access layer switches •Single WCS Controller decreases in-store resilience of the wireless network; the recommendation is to have store APs fallback to central WCS controller if local WCS controller fails, or install dual-local WCS controllers. Large Store The store large branch network scenario, shown in Figure 2-4, meets the following design requirements. Primary Design Requirements •Store size averages between 15,000-150,000 square feet •More than 100 devices per store requiring network connectivity •Multiple routers for primary and backup network requirements •Preference for a combination of network services distributed within the store to meet resilience and application availability requirements •Tiered network architecture within the store; distribution layer switches are employed between the central network services core and the access layer connecting to the network endpoints (POS, wireless APs, servers) Figure 2-4 Cisco PCI Solution for Retail—Large Store Network Design Overview and Description The large retail store reference architecture takes some of the elements of Cisco campus network architecture recommendations and adapts them to a large retail store environment. Network traffic can be better segmented (logically and physically) to meet business requirements. The distribution layer of the large store architecture can greatly improve LAN performance while offering enhanced physical media connections (that is, fiber and copper for connection to remote access layer switches and wireless access points). A larger number of endpoints can be added to the network to meet business requirements. This type of architecture is widely used by large format retailers globally. Dual routers and distribution layer media flexibility greatly improve network serviceability because the network is highly available and scales to support the large retail store requirements. Routine maintenance and upgrades can be scheduled and performed more frequently or during normal business hours because of parallel path design. Advantages •Highest network resilience based on highly available design •Port density and fiber density for large retail locations •Increase segmentation of traffic •Scalable to accommodate shifting requirements in large retail stores Limitations •Higher cost because of network resilience based on highly available design These retail store network designs are capable of helping a retailer achieve PCI compliance, and also serve as the scalable platform for new services and applications that embody the Cisco Connected Retail. Data Center Figure 2-5 shows the data center solution design. Figure 2-5 Typical Retail Enterprise Data Center Design Primary Design Requirements •A scalable, highly available repository of business application data and compute servers. •WAN aggregation layer that securely connects store networks via public or private networks. •IPSec encryption is required for store networks connected via public networks. •A high performance core network between WAN aggregation and the service aggregation layer. •Aggregated network services between the core and server access layer. •A server access layer that securely connects business and solution management servers to other data center resources. •A storage area network layer that securely connects storage resources to other resources in the data center. Overview and Description For the purpose of this document, the data center is split into five areas: WAN aggregation, core, services aggregation, server access, and storage. The core, services aggregation, and server access tiers of the multi-tier data center architecture was based on the design documented in the Cisco Data Center Infrastructure Design Guide 2.5, which can be found at the following URL: http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DC_Infra2_5/DCI_SRND_2_5_book.html The WAN aggregation architecture is based on the Infrastructure Protection and Security Service Integration Design for the Next Generation WAN Edge v 2.0, which can be found at the following URL: http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/IPSNGWAN.html WAN Aggregation The WAN aggregation layer is a transit network that aggregates the connections from the retail stores, and enterprise branch office LANs via a private or public service provider network. The WAN aggregation layer does not directly connect end users in the HQ, campus or regional branches; rather, it provides connectivity for the store LANs to connect to the data center core network and its resources. The WAN edge devices are Cisco routers which should not also be used as the Internet gateways for the data center network. This recommendation is based on segmentation and typical throughput requirements for the store WAN. If VoIP is transported between the stores and enterprise network, voice quality issues related to the ability to guarantee bandwidth to store connectivity is another concern. Additionally, redundancy, store-backup networks, and overall network security-related concerns would limit the scope of the WAN aggregation to the function of connecting the store networks to the data center. At the WAN aggregation layer, interior to the WAN edge routers, a dedicated firewall appliance is used to secure incoming WAN traffic and to terminate store VPN connections. This design provides the highest scalability. Many Cisco routers also support the IOS security software option which includes a firewall feature. Cisco recommends the use of the Cisco IOS Security feature set in stores, branches and teleworker deployments, because of a much lower number of users and connection rates than at the store WAN aggregation headend location. There are two typical WAN speeds categories for a WAN aggregation network: less than and up to OC3 (155 Mbps) and OC12 (622 Mbps) and above. The choice of these two network speeds determines the platform set to select from Cisco. In addition, this design creates two profiles for each WAN speed. These profiles are designed to provide guidance when designing a WAN edge network regardless of which enterprise WAN architecture is selected. The profiles for each WAN speed investigate integrated versus dedicated chassis for each functionality component as highlighted in the previous section. Some customers prefer a highly integrated solution where most, if not all, of the WAN edge functions described in this document reside on a single or very few network devices. Other customers prefer the granularity and scalability of these same functions separated across multiple network devices. Figure 2-6 Data Center —WAN Aggregation Alternatives Core The core layer provides the high-speed packet switching backplane for all flows going in and out of the data center. The core layer provides connectivity to multiple aggregation modules and provides a resilient Layer 3 routed fabric with no single point of failure. The core layer runs an interior routing protocol, such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP), and load balances traffic between the campus core and aggregation layers using the Cisco Express Forwarding (CEF)-based hashing algorithms. Services (Edge) Aggregation The services aggregation layer modules provide important functions, such as service module integration, Layer 2 domain definitions, spanning tree processing, and default gateway redundancy. Server-to-server multi-tier traffic flows through the aggregation layer and can use services, such as firewall and server load balancing, to optimize and secure applications. The service modules provide services, such as content switching, firewall, SSL offload, intrusion detection, network analysis, and more. Figure 2-7 illustrates a characterized view of the service aggregation layer. Figure 2-7 Conceptual Service Aggregation Layer This is a conceptual example of a single Cisco Catalyst 6500 switch and service modules. Cisco's data center reference architectures recommend pairs of service aggregation switches to meet typical high-availability requirements of the server access or storage layers. Server Access Layer The server access layer is where the servers physically attach to the network. In typical data centers, the server components consist of 1RU servers, blade servers with integral switches, blade servers with pass-through cabling, clustered servers, and mainframes with OSA adapters. The access layer network infrastructure consists of modular switches, fixed configuration 1 or 2RU switches, and integral blade server switches. Switches provide both Layer 2 and Layer 3 topologies, fulfilling the various server broadcast domain or administrative requirements. The solution management servers connect to the network in this layer. This way they are centralized, segmented from other business application servers, and protected by firewall services from the service aggregation layer above. Business servers, consisting of POS transaction log servers, database, and data warehouse servers would also exist at this layer but would be segmented via separate VLANs and firewall policy. Storage A combination of the file encryption provided by the RSA File Security Manager product, fiber-channel zoning, and Logical Unit (LUN) masking/zoning as provided by the Cisco family of multi-layer director switches (MDS) were used in the storage implementation of this solution to deliver encryption and restricted access to cardholder data at rest in the datacenter. By deploying zoning within a Fibre Channel fabric, device access is limited to devices within the zone. This allows the user to segregate devices based on access to a particular storage device (disk array). This is generally an absolute requirement when dealing with a datacenter environment in which multiple file servers in the datacenter server farm are connected to the same SAN fabric and access to cardholder data must be restricted to a subset of servers. LUN masking takes zoning beyond the fiber-channel, switch port level by allowing for the restricted access to specific logical units on a given disk array such that only specific devices belonging to the LUN zone will be able to access those sections of the disk. Figure 2-8 Data Center Storage Area Networking Advantages •Standardized equipment and software images, deployed in a modular, layered approach, simplifies configuration management and increases the systems availability. •Highly available data center design permits highly resilient access from stores to core data and storage services. •WAN aggregation alternatives allow flexible selection of service provider network offerings. •Service aggregation design allows for a modular approach to adding new access layers and managing shared network services (FW, IDS, application networking, wireless management, etc.). •Firewall, IDS and application networking services are available at all layers of the data center. •Scalable to accommodate shifting requirements in data center compute and storage requirements. •Centralized solution management support all aspects of network, security and systems management and supports remote access from anywhere on the network. Limitations •WAN access speeds are typically the limiting factor between the store network systems and the WAN aggregation layer. •It is typical for retailers to over-subscribe the WAN circuits between the stores and the WAN edge aggregation router. Over-subscription can cause inconsistent results and packet loss of payment card information in the event that more traffic enters the WAN circuit simultaneously. QoS guidelines to classify payment card traffic as critical are recommended. •Backup network connections from store networks to the data center are recommended when payment card information is transported via the WAN. These options are not covered in this design guide as they are not a requirement to meet PCI guidelines. Internet Edge The Internet edge solution architecture is listed in Figure 2-9. Figure 2-9 Typical Internet Edge Architecture Primary Design Requirements •An enterprise connection to Internet. •Securing the Internet edge design using Cisco firewall and intrusion detection systems. •Protecting enterprise network against web attacks. •Dual-threaded design for network resiliency. •Collapsed Internet edge and extranet network for a highly centralized and integrated edge network. •Remote VPN access to enterprise users/telecommuters. Overview and Description The solution uses a collapsed Internet edge and extranet network to support Internet connectivity and business partner connectivity. This design takes into account best practices from the in Data Center Networking: Internet Edge Design Architecture Design Guide (http://www.cisco.com/go/designzone) and customizes these recommendations for Retail a business Internet edge and extranet network. The edges connects Internet services to the complete enterprise environment (i.e., from headquarters to Internet service providers (ISP), branch office connections that use Cisco secure VPN to connect to headquarters. The collapsed design provides highly centralized and integrated edge networks and transports the aggregated traffic through different service modules (Cisco ACE, Cisco FWSM and Cisco IDSM2) within a pair of Cisco Catalyst 6500 switch chassis. The design provides protection and defense against XML threats using the Cisco ACE AXL Gateway. The Internet edge provides the following security functions: •Secure configurations and management. •IP anti-spoofing. •Access Control Lists (ACLs) provide explicitly permitted and/or denied IP traffic that may traverse between inside, outside, and Demilitarized Zone (DMZ). •Stateful inspection—Provide the ability to establish and monitor session states of traffic permitted to flow across the Internet edge and deny that traffic which fails to match the expected state of an existing or allowed sessions. •Intrusion detection using Cisco IDSM2—Provides ability to promiscuously monitor traffic across discrete points within the Internet edge and alarm and/or take action detecting suspect behavior that may threaten the enterprise network. •Demilitarized Zone (DMZ)—Applications servers that need to be directly accessed from the Internet are placed in a quasi-trusted secure area between the Internet and the internal enterprise network. This allows internal hosts and Internet hosts to communicate with servers in the DMZ. Advantage •Collapsed architecture •Highly available design •Firewall and intrusion detection capabilities in a single chassis Disadvantage •Complexity in configuration. Chapter 3, "Solution Components—Best Practices and PCI," provides the mapping between specific Cisco solution components and the required PCI elements to meet QSA audit requirements.
	© 1992-2009 Cisco Systems, Inc. All rights reserved. Terms & Conditions \| Privacy Statement \| Cookie Policy \| Trademarks of Cisco Systems, Inc.