Link to home
Start Free TrialLog in
Avatar of roy_batty
roy_battyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Draytek 2860 router - how to allow all traffic from specific subnet though to LAN

I need to  allow the following ip ranges through the draytek router/firewall to allow Worldpay to scan our network to ensure it meets PCI compliance.

91.209.196.32/28
178.255.82.64/27
199.66.200.32/28

Can someone ecplain how I would do this. I have created 3 objects matching the above subnets but Im unsure what to do next.

Thanks
ASKER CERTIFIED SOLUTION
Avatar of noci
noci

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
This is not PCI advice, as I am not a PCI professional. However, I would suggest that you consider what is in PCI scope before adding a particular IP address for scanning. If you are unsure, seek the advice of a PCI professional.

It you do decide that your LAN needs to be scanned (ie you are processing or storing card details and this falls within PCI compliance scope), consider the following.

What exactly do you want them to scan inside your network? If you are accessing the Internet using primarily NAT, which most people are, it provides a degree of inbound security. Adding a rule from the WAN to the LAN is not really going to help an external PCI scanner. If a WAN based host attempts to open a port to your public IP address, the router would only report it as open if there is a static port mapping in place, or you have a DMZ host provided. If you have multiple DMZ hosts, each with public IP addresses, you will need to set up rules for these, but I am guessing (and I may be wrong), you probably don't. If you have a DMZ host, or you have multiple DMZ hosts configured, these would each be visible with their own IP address, or you would have some form of network translation in place. Your scan would be configured appropriately.

As an aside, I do suggest that you ensure that Internet based configuration and the other router services are turned off on your router, unless you require general access (bad idea in my mind). At the very least, you should authorise certain IP addresses to remotely configure your router. I would always only do this via the local network or a VPN tunnel.

I am unsure of your technical knowledge, but if you don't understand some of the above, it may be a good idea to ask someone for some paid support. PCI compliance issues can be very costly as you are probably aware.
I'm not a certified person either. However, for external PCI scans, it's mainly a test of your existing rules. So the fact that they are talking about allowing them becomes a violation of your own security policy of a sort. If you're explicitly blocking their IP addresses, then get rid of that. Otherwise, there's nothing that you really should need to change. However, I recommend getting the advice of a PCI professional and also getting Worldpay to clarify in writing exactly what they're trying to do.
I agree with masnrock. By adding rules that allow specific hosts to access your network, certainly when the default would be to block them, you are effectively weakening your security.

If they want to carry out an internal LAN PCI scan, usually it would be from a host within your network and it would be a different kind of scan - not the usual "web based" one, in my experience.
Avatar of roy_batty

ASKER

Thanks for answering my question