Forum Discussion

HarryC's avatar
HarryC
Icon for Nimbostratus rankNimbostratus
Jan 17, 2025

PCI and Partitions

Can I satisfy  a PCI audit with PCI and NonPCI servers on the same LTM-VE by using partitions ?  any doc from F5 supporting this ?  [ already segregated - each partition with it's own network interface ]

We brought a system back in-house from an outside hosting company, they had implemented partitions to allow running the PCI and NonPCI environments on the same F5. 

  • Not sure if there is any specific documentation about PCI compliance from F5, but I can imagine using solely partitions to implement segregation between PCI and non-PCI servers isn't sufficient. You mention that each partition has it's own network interface, so maybe you are referring to route domains instead of partitions. It's good to know that partitions and route domains are different things, but used together they help to create secure logical isolated environments.

    Please note that partitions on the F5 are used for administrative segregation and that route domains are used for network segregation. So, with partitions one can use RBAC to limit administrative rights to specific parts in the configuration. And route domains are like what Cisco is calling VRFs. For example, you could create route domains for LAN and DMZ on the same F5 BIG-IP. When both route domains are configured as strictly isolated route domains, no traffic can be routed between the LAN and DMZ directly on de F5 BIG-IP. In this case you'll need an external router/firewall to route traffic between the two zones.

    So, if using partitions in combination with route domains for the PCI and non-PCI servers, I would expect it will satisfy the PCI audit. Since cloud infrastructures are more common, the demand for physical segregation doesn't seem to be a hot topic anymore.

  • f51's avatar
    f51
    Icon for Cirrocumulus rankCirrocumulus

    As per my understanding, Yes, we can satisfy a PCI audit by running PCI and non-PCI servers on the same LTM-VE using partitions, provided that each partition is properly isolated and adheres to PCI DSS requirements. Ensuring strict separation of environments through dedicated network interfaces, VLANs, and IP subnets is crucial. Additionally, implementing robust access controls, logging, monitoring, and maintaining separate security policies for each partition are essential steps.