[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2423
  • Last Modified:

PCI scan

Hello,

I have a customer who is failing the PCI scan.  

The message from the scanner is below.  We are using a watchguard firebox.  I do not understand what I need to do to make their IP range a trusted range so that they can complete their scan.

>
> Our scans will originate from the IP range: x.x.x.x/26.
>
> Please whitelist this range on any active defense mechanism, as applicable.
>
>
> Please reschedule a scan.
>
> The link below explains the need for whitelisting our IP range.
>
> Perform a Scan without Interference from IDS/IPS at the bottom of Page 14.
https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.
> pdf
>
> Thank you
> Controlscan
https://smartscan.controlscan.com/email
> 1-800-825-3301
0
Bonnie_K
Asked:
Bonnie_K
  • 6
  • 3
  • 2
  • +1
1 Solution
 
Blue Street TechLast KnightsCommented:
Hi Bonnie_K,

I work with ControlScan a ton. I see possibly two issues here. First they want you to turn off IDS/IPS on the WAN during the scan. That should resolve the scan failing in their eyes. Basically they want to take away the intelligence of your firewall in order to see how it handles more sophisticated attacks or new targeted attacks.

The second might be a red herring but it's worth mentioning. I there may be an issue with how the scan setup has been configured. Unless your client has 62 Public IP addresses, which is what x.x.x.x/26 means then the scan is going to pickup other networks which may not be secure. For a further explanation, if your client is assigned 1.1.1.0 with a 26 Mask Bits then that would provide your client with the following Public IPs: 1.1.1.1-1.1.1.62. Chances are they are most likely going to be issued a 5-pack meaning 1.1.1.1-1.1.1.5.

To remedy this just re-set or have ControlScan re-set the scan range to the correct Public IP Addresses issued to your client. If you do not know what they are or how many, simply contact their ISP and they will be able to provide that to you.

If it is failing for other reasons, it would only be because the firewall is not properly setup to block unsolicited traffic on inbound ports. To remedy that simply close the open ports or if they need to exist either explicitly define the source or in the event you can't do that because it is a web server and needs the source to Any then move those resources in to the DMZ so if they are exploited or compromised they will be contained to that Zone therefore halting the ability to get at the credit card data.

Are you helping your client with PCI or are you the Approved Vendor?

Let me know if you have any other questions!
0
 
masnrockCommented:
What type of firewall is your client using? It's blocking traffic from the Controlscan, which is normally a good thing, but you need to allow their traffic long enough to get through the PCI compliance stuff.
0
 
Blue Street TechLast KnightsCommented:
@masnrock - they are using a watchguard firebox.
0
Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

 
Dave BaldwinFixer of ProblemsCommented:
> Our scans will originate from the IP range: x.x.x.x/26.
I believe that means that Controlscan wants requests from those IP addresses which are Their IP addresses to bypass any active defense software.
0
 
Blue Street TechLast KnightsCommented:
Good point Dave!  ...I don't know how I misread that!
0
 
masnrockCommented:
We'll still need to know which model firewall. Watchguard was notorious for changing up their interfaces from model to model. But either way, all traffic from the range needs to be allowed as previously stated.
0
 
Bonnie_KAuthor Commented:
Hi,

Sorry to be so long in getting back. I am getting slammed today with requests.

It is a Firebox XTM Model X20e

I am essentially the IT person for the company with the Firebox.  They are trying to be in compliance to process credit cards.  Sorry, I have never had to deal with this before and do not understand all the acronyms.

The company trying to do the scan is saying that thier scans will originate from 1 of the 62 IP addresses in the block they gave us.  We have only one public IP used for mail and RDP.

Yes - it seems the company wants access to our internal network to run scans?  Seems very invasive, but I guess if it is to protect credit card info, it is very important.

Thanks for your help - please let me knwo if you need any more information.  They article I looked over said I should not have to change my firewall, but that I should add this block of IP's to a trusted list on the firebox.  I just don't know how to do that...  

Thanks again,
Bonnie
0
 
Dave BaldwinFixer of ProblemsCommented:
No, their scans can come from Any of the 62 IP addresses which is why they want them All to bypass the active defenses.
0
 
Blue Street TechLast KnightsCommented:
Technically all you have to do is temporarily disable IDS/IPS during the scanning period as mention in my previous comment (http:#a39623493).

Are you certain you have been assessed properly? Approved Scanning Vendors (ASVs) are organizations that validate adherence to certain Data Security Standard (DSS) requirements by performing vulnerability scans of Internet facing environments of merchants and service providers. The Council has approved more than 130 ASVs. Are you one of them...meaning do you preform scans for or assist your clients with PCI compliance? If yes, then you are an ASV, and if no, then you have been misclassified and should only adhere to the regular PCI-DSS assessment (SAQ) to figure out which Merchant Level & Validation Type (https://www.controlscan.com/support_resources_qa.php#5 and https://www.controlscan.com/support_resources_qa.php#6, respectfully) you are. Both (the Merchant Level & Validation Type) are pretty self-explanatory in the links, but if you have any questions please ask freely.

I'd call ControlScan to gain more insights to figure out why you are being treated as an AVS (and if that is correct).

Does that make sense?
0
 
Bonnie_KAuthor Commented:
Hi diverseit, it is starting to make sense.  We are definately not an ASV.  I did find that we have an IPS subscription service on the watchguard.  I do not see where I can add an exception to it.  But I see how I can turn it off temporarily.  I will see if we can do that or I will contact Watchguard.

Thanks,
Bonnie
0
 
Blue Street TechLast KnightsCommented:
Ok, then I would definitely contact ControlScan to have them properly assess this situation because otherwise it's all in vein! The costs and requirements are vastly different for an AVS versus a Merchant and then within being a Merchant the Level and Validation Type matter greatly in your efforts to become compliant. E.g. if you pass this scan as an AVS it has no affect on your compliance as a Merchant let alone the type of SAQ you fall under, etc.

I'm glad you are getting this sorted out. Let me know if I can help in any other way. Thanks!
0
 
Bonnie_KAuthor Commented:
Hello,

I turned off the IPS service on the firebox, ran the scan and it still failed. When scheduling a scan I could choose from slow, medium and fast.  The failed tests were run in medium mode.  I tried another scan in slow mode and it passed (Yay!)

Thanks for all of your help in understanding PCI compilance scanning.

-Bonnie
0
 
Blue Street TechLast KnightsCommented:
My pleasure! I'm glad I could help...thanks for the points!
0

Featured Post

The eGuide to Automating Firewall Change Control

Today‚Äôs IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

  • 6
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now