Solved

PCI compliance issue with Cisco ASA

Posted on 2014-07-21
3
40 Views
Last Modified: 2015-12-30
THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.
IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that
unauthorized users can use to bypass your firewall.
SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be
configured to block all TCP SYN packets going to this port, regardless of the source port.
RESULT:
The host responded 4 times to 4 TCP SYN probes sent to destination port 80 using source port 80. However, it did not respond at all to 4 TCP SYN
probes sent to the same destination port using a random source port.
0
Comment
Question by:Joel Fernandez
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 40211654
It seems you're hosting a web server internal to your ASA and allowing that to come in.

Nonetheless, the report claims that it can reach destination port if the source port is specific (80 in your sample), but it can't if it use a random port (between 1024 and 65535 for example). Client normally use random port and so your rule shouldn't take into account the source port number.

So one of your rule is faulty as afar we can "guess" because ASA typically allows flows if the source port is specific and in this case legit HTTP port for web traffic (assuming you have web server etc), whereas, for norm cases, ASA should only filter on the destination port, which is the only static part between the two.

I "guess" you miss creating one of your rule by unintentational swapping source and destination port value
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Isolate data from the internet 11 71
CISSP study material 12 94
IPS Logs NMap Scans 1 95
4 Android flaws that leave 900M devices at Risk 7 74
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Along with being a a promotional video for my three-day Annielytics Dashboard Seminor, this Micro Tutorial is an intro to Google Analytics API data.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question