PCI compliance issue with Cisco ASA

THREAT:
Your firewall policy seems to let TCP packets with a specific source port pass through.
IMPACT:
Some types of requests can pass through the firewall. The port number listed in the results section of this vulnerability report is the source port that
unauthorized users can use to bypass your firewall.
SOLUTION:
Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be
configured to block all TCP SYN packets going to this port, regardless of the source port.
RESULT:
The host responded 4 times to 4 TCP SYN probes sent to destination port 80 using source port 80. However, it did not respond at all to 4 TCP SYN
probes sent to the same destination port using a random source port.
Joel FernandezNetwork AdministratorAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
btanConnect With a Mentor Exec ConsultantCommented:
It seems you're hosting a web server internal to your ASA and allowing that to come in.

Nonetheless, the report claims that it can reach destination port if the source port is specific (80 in your sample), but it can't if it use a random port (between 1024 and 65535 for example). Client normally use random port and so your rule shouldn't take into account the source port number.

So one of your rule is faulty as afar we can "guess" because ASA typically allows flows if the source port is specific and in this case legit HTTP port for web traffic (assuming you have web server etc), whereas, for norm cases, ASA should only filter on the destination port, which is the only static part between the two.

I "guess" you miss creating one of your rule by unintentational swapping source and destination port value
0
All Courses

From novice to tech pro — start learning today.