crp Posted October 9, 2015 Share Posted October 9, 2015 (edited) Company recently failed a PCI test, due to our firewalls being secure. Seriously. During the course of the scan, TK detected a change in its ability to communicate with some services on the remote host. In some cases, this may be caused by network security devices actively blocking the vulnerability scan, which it may perceive as a threat. In other cases, an intermediate network device, or the host itself, may be unable to cope with the vulnerability scan. It's often very difficult to tell the difference between these two scenarios, but in either case, this behavior significantly impacts the ability of this vulnerability scanning service to detect vulnerabilities on the remote host, resulting in an inconclusive vulnerability assessment. The PCI ASV Program Guide 1.0 requires that PCI ASV scan customers have a scan performed on all in-scope hosts without interference from IDS/IPS; if such interference is detected, then the ASV is required to fail the scan. Examples of products and devices that provide active measures that may interfere with the scan are firewall and intrusion detection systems (IDS) with active countermeasures, intrusion prevention systems (IPS), web-application firewalls (WAF), and distributed-denial of service (DDoS) mitigation products. CVSSv2: AV:N/AC:L/Au:N/C:N/I:N/A:N Reference: https://www.pcisecur..._Program_Guide_v2.pdf Evidence: Note: Excessive number of open TCP ports (53467) during port scan. Remediation: In order to achieve a conclusive vulnerability assessment of the remote host, the products and devices responsible for interfering with this scan may need to be temporarily configured to permit scanning without interference. This normally takes the form of adding the IP addresses of this scanning service to the "whitelist" of the product or device. Please ensure the following network blocks have full, unobstructed, access in order to more accurately perform a vulnerability scan: Edited October 9, 2015 by crp Quote Link to comment Share on other sites More sharing options...
mac Posted October 9, 2015 Share Posted October 9, 2015 Wait! They want your company to turn off protective software/hardware in order to perform a vulnerability test??? :'( Quote Link to comment Share on other sites More sharing options...
crp Posted October 9, 2015 Author Share Posted October 9, 2015 Wait! They want your company to turn off protective software/hardware in order to perform a vulnerability test??? :'( yepp, hence my question. Quote Link to comment Share on other sites More sharing options...
crp Posted October 9, 2015 Author Share Posted October 9, 2015 perhaps. by turning of the ids/ips, the white-hats will discover underlying flaws, such as open ports, lack of encryption on sensitive files (at rest or in motion) lack of firewalls between sensitive materials belonging to different departments, lack of vlans separating departments, etc. so, yeah, that's what they're wanting to do. your ids/ips system prevents the packets from the scan from going anywhere. So come to the office and do testing or arrange for a remote desktop. at least limit the ip source to one address , not a whole range (and Class C at that). if there is a flaw , how is opening it up to intruders a safe thing to do? Really makes me wonder if this is why companies that have PCI are constantly getting dinged. I could also imagine, say Target, opening up the doors to the PCI chrltns and someone forgetting or missing an open door. Quote Link to comment Share on other sites More sharing options...
goretsky Posted October 12, 2015 Share Posted October 12, 2015 Hello, Seems to me that you need to request a list of the objects to whitelist, whitelist them, re-do that portion of the audit, then remove the whitelist. Regards, Aryeh Goretsky Quote Link to comment Share on other sites More sharing options...
Guest LilBambi Posted October 12, 2015 Share Posted October 12, 2015 Totally agree with Aryeh. I would not turn off your protection. Just get the list they want that you can make a temp filter list that will allow what they need to be exposed to see what is vulnerable beyond the firewall. Then you can restore your filter list after they are done. The thing that makes it interesting is will they notate that your firewall is a fantastic first line of defense in their final assessment along with their notations of what is needed to fixed behind the firewall(s)? Totally agree with Aryeh. I would not turn off your protection. Just get the list they want that you can make a temp filter list that will allow what they need to be exposed to see what is vulnerable beyond the firewall. Then you can restore your filter list after they are done. The thing that makes it interesting is will they notate that your firewall is a fantastic first line of defense in their final assessment along with their notations of what is needed to fixed behind the firewall(s)? It really sounds like they need access to the internet network. Why do they not come to you rather than make you change your excellent firewall defense thereby making you vulnerable while they do their testing. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.