?
Solved

Security Metrics PCI Compliance Scans

Posted on 2012-08-24
7
Medium Priority
?
2,138 Views
Last Modified: 2012-09-09
I have a customer that is failing thier Security Metrics PCI Compliance Scans.  They are stating that port 443 SSL is open and we need to close it for a successful scan.  They use SSL for VPN comunications.  If we close port 443, user will not be able to connect via VPN.  They are using a Checkpoint Safe@Office appliance.

I am assuming there is a way to fix this without compromising the VPN functionality.  Any ideas?
0
Comment
Question by:ptsolutionsinc
  • 4
  • 3
7 Comments
 
LVL 7

Expert Comment

by:southpau1
ID: 38329086
Can you give more information on the scan they are "failing"?  What scanning software is being used to find this, and what exactly does the finding say?  Also, does it map the finding to a specific PCI rule?

There isn't a PCI rule that says 433 cant be used, in fact, what it does say, very specifically is that encryption outside of your network SHOULD use SSL (commonly run on port 443) or IPSEC, or similar.  Check out page 35 of this doc:

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
0
 
LVL 1

Author Comment

by:ptsolutionsinc
ID: 38329195
Southpau1, Below are more details.

Scanned by: SecurityMetrics
Scan Title: ASV Scan Report Vulnerability
PCI Compliance: Fail
The computer fails because a failing vulnerability
was found.

TCP 443 Open Your computer appears to be running HTTP
Secure Socket Layer (SSL) software. This
software improves the security of HTTP
communication with this server.

UDP 500 Your computer is responding to scans on this
port. This helps a hacker to gather information
about possible services running on this
machine and what kind of machine you have. If
you do not require this service turn it off.

They are sending me the resolution below but port 443 is on a firewall appliance, not a windows machine so I can't install any type of patch.

Resolution: For OpenSSL, [http://www.openssl.org/source/] upgrade to 0.9.8l or higher. For Microsoft IIS web servers, install the appropriate patch available through [http://technet.microsoft.com/en-us/security/bulletin/MS10-049] Microsoft Security Bulletin 10-049. For other types of products, consult the product documentation.
0
 
LVL 7

Expert Comment

by:southpau1
ID: 38329240
I've found this sort of thing is common for PCI ASV's.  They often do no real analysis on the vulnerabilities discovered..they just include everything in the report and fail you.

If these were findings on your firewall, then submit for an exception as this is a false finding.  TCP 443 is your VPN tunnel on your firewall, and UDP 500 is used for IPSEC key exchange, also a part of your VPN tunnel establishment.

If these were findings on windows boxes it might be a concern, but this is on your firewall.  This is not a finding.  Talk to the ASV and reference the PDF I posted.  You are practicing proper security with the use of this VPN.
0
Shaping tomorrow’s technology leaders, today

The leading technology companies all recognize the growing need for gender diversity. Through its Women in IT scholarship program, WGU is working to reverse this trend by empowering more women to earn IT degrees and become tomorrow’s tech-industry leaders.  

 
LVL 1

Author Comment

by:ptsolutionsinc
ID: 38329382
I did open  a case with Security Metrics and spoke to someone and we agree that it was a false positive.  He escelated the case and that is when they came back asking to follow the resolution.  I will contact them again with the PDF doc you sent over.

Resolution: For OpenSSL, [http://www.openssl.org/source/] upgrade to 0.9.8l or higher. For Microsoft IIS web servers, install the appropriate patch available through [http://technet.microsoft.com/en-us/security/bulletin/MS10-049] Microsoft Security Bulletin 10-049. For other types of products, consult the product documentation.
0
 
LVL 7

Expert Comment

by:southpau1
ID: 38329603
Yeah let me know what they say when you show them that reference.
0
 
LVL 1

Accepted Solution

by:
ptsolutionsinc earned 0 total points
ID: 38365488
Southpau1, I submitted the information to SecurityMetrics and they really didnt care.  They said the only fix in my situation was to block 443.  The only solution I came up with was to block 443 from the WAN port and only open it for the static IP of the headquarters so they would not loose VPN connectivity.
0
 
LVL 1

Author Closing Comment

by:ptsolutionsinc
ID: 38380596
Southpau1, I submitted the information to SecurityMetrics and they really didnt care.  They said the only fix in my situation was to block 443.  The only solution I came up with was to block 443 from the WAN port and only open it for the static IP of the headquarters so they would not loose VPN connectivity.
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
A new hacking trick has emerged leveraging your own helpdesk or support ticketing tools as an easy way to distribute malware.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month13 days, 23 hours left to enroll

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question