Обсуждение: streaming rep setup in PCI compliance environment

Поиск
Список
Период
Сортировка

streaming rep setup in PCI compliance environment

От
dinesh bhandary
Дата:
Hello Everyone:

I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment? 

Please let me know.

Thanks
Dinesh

Re: streaming rep setup in PCI compliance environment

От
John Scalia
Дата:
I spoke with my PCI compliance officer here, and provided you've documented what you're doing here and why, you should be compliant. We had a fairly long discussion about this and I had to explain to him that I was referring to the slave as being a hot standby, ready to take over in the event of an issue with the primary. If you're doing this for some other reason, so long as it's explained, you could still be OK.
--
Jay

On Fri, Oct 9, 2015 at 11:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:
Hello Everyone:

I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment? 

Please let me know.

Thanks
Dinesh

Re: streaming rep setup in PCI compliance environment

От
dinesh bhandary
Дата:
Thank you, John.

I am also trying to find from our PCI representative as well. In our case slave will be used for reporting purpose not for failover. 
I guess the biggest dilemma  from PCI perspective is tier 2 initiating connection to tier1, but it is just a db user with replication role, which is a pretty controlled role.

Dinesh

On Fri, Oct 9, 2015 at 10:50 AM, John Scalia <jayknowsunix@gmail.com> wrote:
I spoke with my PCI compliance officer here, and provided you've documented what you're doing here and why, you should be compliant. We had a fairly long discussion about this and I had to explain to him that I was referring to the slave as being a hot standby, ready to take over in the event of an issue with the primary. If you're doing this for some other reason, so long as it's explained, you could still be OK.
--
Jay

On Fri, Oct 9, 2015 at 11:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:
Hello Everyone:

I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However, I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has experience setting up master-salve in PCI compliance environment? 

Please let me know.

Thanks
Dinesh


Re: streaming rep setup in PCI compliance environment

От
Scott Ribe
Дата:
On Oct 9, 2015, at 10:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:
>
> I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone). However,
Iam told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment ( PCI tier
2).However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement. Anyone has
experiencesetting up master-salve in PCI compliance environment?  


I have a simliar situation in which I do not want anything in my replica's zone to be able to initiate connections into
thedata center where the primary is. I have the master set up an SSH reverse tunnel to the slave, and then the slave
connectsto that tunnel end locally. 

--
Scott Ribe
scott_ribe@elevated-dev.com
http://www.elevated-dev.com/
https://www.linkedin.com/in/scottribe/
(303) 722-0567 voice







Re: streaming rep setup in PCI compliance environment

От
"Joshua D. Drake"
Дата:
On 10/09/2015 05:49 PM, Scott Ribe wrote:
> On Oct 9, 2015, at 10:48 AM, dinesh bhandary <dbhandary@gmail.com> wrote:
>>
>> I am trying to setup streaming rep between master ( which is in PCI tier1 zone) to slave ( PCI tier 2 zone).
However,I am told that PCI tier1 can only initiate connection to lower security zone, in our case slave environment (
PCItier 2). However, for streaming rep to work, slave needs to connect to Master. Does this violate PCI requirement.
Anyonehas experience setting up master-salve in PCI compliance environment? 
>
>
> I have a simliar situation in which I do not want anything in my replica's zone to be able to initiate connections
intothe data center where the primary is. I have the master set up an SSH reverse tunnel to the slave, and then the
slaveconnects to that tunnel end locally. 
>

You could also just use archiving, hot_standby still works when you do that.

JD


--
Command Prompt, Inc. - http://www.commandprompt.com/  503-667-4564
PostgreSQL Centered full stack support, consulting and development.
New rule for social situations: "If you think to yourself not even
JD would say this..." Stop and shut your mouth. It's going to be bad.