Solved

PCI scan

Posted on 2013-11-04
13
1,808 Views
Last Modified: 2013-11-10
Hello,

I have a customer who is failing the PCI scan.  

The message from the scanner is below.  We are using a watchguard firebox.  I do not understand what I need to do to make their IP range a trusted range so that they can complete their scan.

>
> Our scans will originate from the IP range: x.x.x.x/26.
>
> Please whitelist this range on any active defense mechanism, as applicable.
>
>
> Please reschedule a scan.
>
> The link below explains the need for whitelisting our IP range.
>
> Perform a Scan without Interference from IDS/IPS at the bottom of Page 14.
> https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.
> pdf
>
> Thank you
> Controlscan
> https://smartscan.controlscan.com/email
> 1-800-825-3301
0
Comment
Question by:Bonnie_K
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Hi Bonnie_K,

I work with ControlScan a ton. I see possibly two issues here. First they want you to turn off IDS/IPS on the WAN during the scan. That should resolve the scan failing in their eyes. Basically they want to take away the intelligence of your firewall in order to see how it handles more sophisticated attacks or new targeted attacks.

The second might be a red herring but it's worth mentioning. I there may be an issue with how the scan setup has been configured. Unless your client has 62 Public IP addresses, which is what x.x.x.x/26 means then the scan is going to pickup other networks which may not be secure. For a further explanation, if your client is assigned 1.1.1.0 with a 26 Mask Bits then that would provide your client with the following Public IPs: 1.1.1.1-1.1.1.62. Chances are they are most likely going to be issued a 5-pack meaning 1.1.1.1-1.1.1.5.

To remedy this just re-set or have ControlScan re-set the scan range to the correct Public IP Addresses issued to your client. If you do not know what they are or how many, simply contact their ISP and they will be able to provide that to you.

If it is failing for other reasons, it would only be because the firewall is not properly setup to block unsolicited traffic on inbound ports. To remedy that simply close the open ports or if they need to exist either explicitly define the source or in the event you can't do that because it is a web server and needs the source to Any then move those resources in to the DMZ so if they are exploited or compromised they will be contained to that Zone therefore halting the ability to get at the credit card data.

Are you helping your client with PCI or are you the Approved Vendor?

Let me know if you have any other questions!
0
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
What type of firewall is your client using? It's blocking traffic from the Controlscan, which is normally a good thing, but you need to allow their traffic long enough to get through the PCI compliance stuff.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
@masnrock - they are using a watchguard firebox.
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
> Our scans will originate from the IP range: x.x.x.x/26.
I believe that means that Controlscan wants requests from those IP addresses which are Their IP addresses to bypass any active defense software.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Good point Dave!  ...I don't know how I misread that!
0
 
LVL 20

Expert Comment

by:masnrock
Comment Utility
We'll still need to know which model firewall. Watchguard was notorious for changing up their interfaces from model to model. But either way, all traffic from the range needs to be allowed as previously stated.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 

Author Comment

by:Bonnie_K
Comment Utility
Hi,

Sorry to be so long in getting back. I am getting slammed today with requests.

It is a Firebox XTM Model X20e

I am essentially the IT person for the company with the Firebox.  They are trying to be in compliance to process credit cards.  Sorry, I have never had to deal with this before and do not understand all the acronyms.

The company trying to do the scan is saying that thier scans will originate from 1 of the 62 IP addresses in the block they gave us.  We have only one public IP used for mail and RDP.

Yes - it seems the company wants access to our internal network to run scans?  Seems very invasive, but I guess if it is to protect credit card info, it is very important.

Thanks for your help - please let me knwo if you need any more information.  They article I looked over said I should not have to change my firewall, but that I should add this block of IP's to a trusted list on the firebox.  I just don't know how to do that...  

Thanks again,
Bonnie
0
 
LVL 82

Expert Comment

by:Dave Baldwin
Comment Utility
No, their scans can come from Any of the 62 IP addresses which is why they want them All to bypass the active defenses.
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
Technically all you have to do is temporarily disable IDS/IPS during the scanning period as mention in my previous comment (http:#a39623493).

Are you certain you have been assessed properly? Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain Data Security Standard (DSS) requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs. Are you one of them...meaning do you preform scans for or assist your clients with PCI compliance? If yes, then you are an ASV, and if no, then you have been misclassified and should only adhere to the regular PCI-DSS assessment (SAQ) to figure out which Merchant Level & Validation Type (https://www.controlscan.com/support_resources_qa.php#5 and https://www.controlscan.com/support_resources_qa.php#6, respectfully) you are. Both (the Merchant Level & Validation Type) are pretty self-explanatory in the links, but if you have any questions please ask freely.

I'd call ControlScan to gain more insights to figure out why you are being treated as an AVS (and if that is correct).

Does that make sense?
0
 

Author Comment

by:Bonnie_K
Comment Utility
Hi diverseit, it is starting to make sense.  We are definately not an ASV.  I did find that we have an IPS subscription service on the watchguard.  I do not see where I can add an exception to it.  But I see how I can turn it off temporarily.  I will see if we can do that or I will contact Watchguard.

Thanks,
Bonnie
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
Comment Utility
Ok, then I would definitely contact ControlScan to have them properly assess this situation because otherwise it's all in vein! The costs and requirements are vastly different for an AVS versus a Merchant and then within being a Merchant the Level and Validation Type matter greatly in your efforts to become compliant. E.g. if you pass this scan as an AVS it has no affect on your compliance as a Merchant let alone the type of SAQ you fall under, etc.

I'm glad you are getting this sorted out. Let me know if I can help in any other way. Thanks!
0
 

Author Comment

by:Bonnie_K
Comment Utility
Hello,

I turned off the IPS service on the firebox, ran the scan and it still failed. When scheduling a scan I could choose from slow, medium and fast.  The failed tests were run in medium mode.  I tried another scan in slow mode and it passed (Yay!)

Thanks for all of your help in understanding PCI compilance scanning.

-Bonnie
0
 
LVL 24

Expert Comment

by:diverseit
Comment Utility
My pleasure! I'm glad I could help...thanks for the points!
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now