Solved

PCI compliance issue with Cisco ASA

Posted on 2014-07-21
3
37 Views
Last Modified: 2015-12-30
THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.
IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that
unauthorized users can use to bypass your firewall.
SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be
configured to block all TCP SYN packets going to this port, regardless of the source port.
RESULT:
The host responded 4 times to 4 TCP SYN probes sent to destination port 80 using source port 80. However, it did not respond at all to 4 TCP SYN
probes sent to the same destination port using a random source port.
0
Comment
Question by:Joel Fernandez
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40211654
It seems you're hosting a web server internal to your ASA and allowing that to come in.

Nonetheless, the report claims that it can reach destination port if the source port is specific (80 in your sample), but it can't if it use a random port (between 1024 and 65535 for example). Client normally use random port and so your rule shouldn't take into account the source port number.

So one of your rule is faulty as afar we can "guess" because ASA typically allows flows if the source port is specific and in this case legit HTTP port for web traffic (assuming you have web server etc), whereas, for norm cases, ASA should only filter on the destination port, which is the only static part between the two.

I "guess" you miss creating one of your rule by unintentational swapping source and destination port value
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Malicious software is nothing new. Viruses have been created and spread since before physical networks became popular; back then viruses spread via floppy disk and modem connections with shared systems. Viruses weren't so rampant and protecting your…
You cannot be 100% sure that you can protect your organization against crypto ransomware but you can lower down the risk and impact of the infection.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now