SSL, TLS, and PCI DSS Compliance

Hello All.

I have a customer who received multiple failures in their monthly PCI DSS scan (by an outside provider). They are seeing hits on SSL v3 and v2, as well as TLS 1 being supported. Essentially it's complaining that SSL is available because port 443 is used by outgoing apps, and 1550 is the management port for reaching the firewall from the WAN interface.

My question is this: Is there a way to force the client and or firewall to use a stronger version of TLS in order to mitigate this? I'm of the opinion that there isn't, as the client will use whatever the application is using.

Thanks for any info,
mjbeginAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Russ SuterSenior Software DeveloperCommented:
I ran into the exact same problem about a month ago. The answer to your question depends somewhat on the device that's serving the resource. IIS, for example, can be configured to prevent the POODLEBLEED issue fairly easily. Configuring it against the Logjam vulnerability is a little more difficult but still possible.

My firewall, on the other hand, had absolutely no way of configuring it to avoid Logjam if SSL VPN was being used. My only solution was to shut down SSL VPN and go to an IPSEC VPN configuration instead. It was a pain but it was necessary.

The first question is, what are the devices / services on the open ports?
mjbeginAuthor Commented:
It appears the issue is due to 443 being used by their mail server for OWA.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mjbeginAuthor Commented:
Excellent. Thanks I'll check these out. Of course it may all be moot. Their EHR program, the company that contracts with the scan provider, is using port 443 themselves!
Russ SuterSenior Software DeveloperCommented:
There's nothing inherently wrong with using port 443. It just has to be patched against known vulnerabilities and there must be a legitimate business need to have the port open in the first place.

Network segmentation is your friend. If you can completely isolate the network where cardholder data is stored, transmitted, or processed from the network where public services are provided you can effectively declare this network out of scope. In practice that's not quite as easy as in theory.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SSL / HTTPS

From novice to tech pro — start learning today.