Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PCI scan

Posted on 2013-11-04
13
Medium Priority
?
2,144 Views
Last Modified: 2013-11-10
Hello,

I have a customer who is failing the PCI scan.  

The message from the scanner is below.  We are using a watchguard firebox.  I do not understand what I need to do to make their IP range a trusted range so that they can complete their scan.

>
> Our scans will originate from the IP range: x.x.x.x/26.
>
> Please whitelist this range on any active defense mechanism, as applicable.
>
>
> Please reschedule a scan.
>
> The link below explains the need for whitelisting our IP range.
>
> Perform a Scan without Interference from IDS/IPS at the bottom of Page 14.
https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.
> pdf
>
> Thank you
> Controlscan
https://smartscan.controlscan.com/email
> 1-800-825-3301
0
Comment
Question by:Bonnie_K
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39623493
Hi Bonnie_K,

I work with ControlScan a ton. I see possibly two issues here. First they want you to turn off IDS/IPS on the WAN during the scan. That should resolve the scan failing in their eyes. Basically they want to take away the intelligence of your firewall in order to see how it handles more sophisticated attacks or new targeted attacks.

The second might be a red herring but it's worth mentioning. I there may be an issue with how the scan setup has been configured. Unless your client has 62 Public IP addresses, which is what x.x.x.x/26 means then the scan is going to pickup other networks which may not be secure. For a further explanation, if your client is assigned 1.1.1.0 with a 26 Mask Bits then that would provide your client with the following Public IPs: 1.1.1.1-1.1.1.62. Chances are they are most likely going to be issued a 5-pack meaning 1.1.1.1-1.1.1.5.

To remedy this just re-set or have ControlScan re-set the scan range to the correct Public IP Addresses issued to your client. If you do not know what they are or how many, simply contact their ISP and they will be able to provide that to you.

If it is failing for other reasons, it would only be because the firewall is not properly setup to block unsolicited traffic on inbound ports. To remedy that simply close the open ports or if they need to exist either explicitly define the source or in the event you can't do that because it is a web server and needs the source to Any then move those resources in to the DMZ so if they are exploited or compromised they will be contained to that Zone therefore halting the ability to get at the credit card data.

Are you helping your client with PCI or are you the Approved Vendor?

Let me know if you have any other questions!
0
 
LVL 31

Expert Comment

by:masnrock
ID: 39623565
What type of firewall is your client using? It's blocking traffic from the Controlscan, which is normally a good thing, but you need to allow their traffic long enough to get through the PCI compliance stuff.
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39623614
@masnrock - they are using a watchguard firebox.
0
Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39623628
> Our scans will originate from the IP range: x.x.x.x/26.
I believe that means that Controlscan wants requests from those IP addresses which are Their IP addresses to bypass any active defense software.
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39623655
Good point Dave!  ...I don't know how I misread that!
0
 
LVL 31

Expert Comment

by:masnrock
ID: 39623714
We'll still need to know which model firewall. Watchguard was notorious for changing up their interfaces from model to model. But either way, all traffic from the range needs to be allowed as previously stated.
0
 

Author Comment

by:Bonnie_K
ID: 39624602
Hi,

Sorry to be so long in getting back. I am getting slammed today with requests.

It is a Firebox XTM Model X20e

I am essentially the IT person for the company with the Firebox.  They are trying to be in compliance to process credit cards.  Sorry, I have never had to deal with this before and do not understand all the acronyms.

The company trying to do the scan is saying that thier scans will originate from 1 of the 62 IP addresses in the block they gave us.  We have only one public IP used for mail and RDP.

Yes - it seems the company wants access to our internal network to run scans?  Seems very invasive, but I guess if it is to protect credit card info, it is very important.

Thanks for your help - please let me knwo if you need any more information.  They article I looked over said I should not have to change my firewall, but that I should add this block of IP's to a trusted list on the firebox.  I just don't know how to do that...  

Thanks again,
Bonnie
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 39624944
No, their scans can come from Any of the 62 IP addresses which is why they want them All to bypass the active defenses.
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39625497
Technically all you have to do is temporarily disable IDS/IPS during the scanning period as mention in my previous comment (http:#a39623493).

Are you certain you have been assessed properly? Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain Data Security Standard (DSS) requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs. Are you one of them...meaning do you preform scans for or assist your clients with PCI compliance? If yes, then you are an ASV, and if no, then you have been misclassified and should only adhere to the regular PCI-DSS assessment (SAQ) to figure out which Merchant Level & Validation Type (https://www.controlscan.com/support_resources_qa.php#5 and https://www.controlscan.com/support_resources_qa.php#6, respectfully) you are. Both (the Merchant Level & Validation Type) are pretty self-explanatory in the links, but if you have any questions please ask freely.

I'd call ControlScan to gain more insights to figure out why you are being treated as an AVS (and if that is correct).

Does that make sense?
0
 

Author Comment

by:Bonnie_K
ID: 39627120
Hi diverseit, it is starting to make sense.  We are definately not an ASV.  I did find that we have an IPS subscription service on the watchguard.  I do not see where I can add an exception to it.  But I see how I can turn it off temporarily.  I will see if we can do that or I will contact Watchguard.

Thanks,
Bonnie
0
 
LVL 26

Accepted Solution

by:
Blue Street Tech earned 2000 total points
ID: 39628215
Ok, then I would definitely contact ControlScan to have them properly assess this situation because otherwise it's all in vein! The costs and requirements are vastly different for an AVS versus a Merchant and then within being a Merchant the Level and Validation Type matter greatly in your efforts to become compliant. E.g. if you pass this scan as an AVS it has no affect on your compliance as a Merchant let alone the type of SAQ you fall under, etc.

I'm glad you are getting this sorted out. Let me know if I can help in any other way. Thanks!
0
 

Author Comment

by:Bonnie_K
ID: 39636971
Hello,

I turned off the IPS service on the firebox, ran the scan and it still failed. When scheduling a scan I could choose from slow, medium and fast.  The failed tests were run in medium mode.  I tried another scan in slow mode and it passed (Yay!)

Thanks for all of your help in understanding PCI compilance scanning.

-Bonnie
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39637637
My pleasure! I'm glad I could help...thanks for the points!
0

Featured Post

Plesk WordPress Toolkit

Plesk's WordPress Toolkit allows server administrators, resellers and customers to manage their WordPress instances, enabling a variety of development workflows for WordPress admins of all skill levels, from beginners to pros.

See why 2/3 of Plesk servers use it.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we’ll look at how to deploy ProxySQL.
This month, Experts Exchange’s free Course of the Month is focused on CompTIA IT Fundamentals.
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question