PCI Scan

Unanswered Question
Sep 5th, 2008

Good Morning All

One of our sites just failed a PCI scan for not blocking ICMP type 13 and 14 packets (timestamp). The firm that conducted the scan also is asking us to turn off IDS and allow unrestricted access to their external IP address. I am inclined to deny this and cannot understand why this will help. Anyone have any similar experiences with this ?

Thanks in advance. Bud....

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Fri, 09/05/2008 - 15:13

Bud

While I feel that ICMP type 13 and 14 (timestamp and timestamp reply) are not so very dangerous, I also appreciate the Security perspective that says the less you reveal about your devices (especially to outsiders) the more secure you are. I would hope that the timestamp issue was not the only reason that the site failed the PCI scan. I would probably go ahead and block these ICMP messages - especially on any outward facing routers.

I would really ask them about the request to turn off IDS - which strikes me as asking you to take a step backwards in terms of security.

And I would suggest to them that a IPSec VPN connection from their site to your site would be a much more prudent solution than just granting unrestricted access from their address space.

HTH

Rick

bud.nelson Sun, 09/07/2008 - 17:56

Thanks for the reply. You have pretty much validated my responses. A nailed-up VPN is a much better idea. I do understand the urgency to pass the PCI scan but common sense should not be tossed aside. Thanks again.

Bud

chris.glanville Wed, 09/10/2008 - 14:32

It has been a surprise to most (me included) but within the PCI requirements it specifies that you must disable any IPS functionality you have for the scan vendor. The idea is that an IPS should only used to mitigate issues until they can be solved.

Now if they are asking you to allow "unrestricted access" from their IP (ANY:ANY) that is an entirely different matter and not a requirement for the external PCI scan AFAIK. It may be a requirement or option for your internal scan however.

For what it's worth, if you feel what they are asking you to do is out of line, you can also take it up with your PCI auditor and/or your bank since they are the final stop for any PCI related audit material.

bud.nelson Thu, 09/11/2008 - 05:48

In the desire to be compliant, the CFO decided to allow the requested access. I have experienced this before at a retail client and am curious to see the results. Thanks for your comments.

Actions

This Discussion