cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
599
Views
10
Helpful
4
Replies

PCI Scan

bud.nelson
Level 1
Level 1

Good Morning All

One of our sites just failed a PCI scan for not blocking ICMP type 13 and 14 packets (timestamp). The firm that conducted the scan also is asking us to turn off IDS and allow unrestricted access to their external IP address. I am inclined to deny this and cannot understand why this will help. Anyone have any similar experiences with this ?

Thanks in advance. Bud....

4 Replies 4

Richard Burts
Hall of Fame
Hall of Fame

Bud

While I feel that ICMP type 13 and 14 (timestamp and timestamp reply) are not so very dangerous, I also appreciate the Security perspective that says the less you reveal about your devices (especially to outsiders) the more secure you are. I would hope that the timestamp issue was not the only reason that the site failed the PCI scan. I would probably go ahead and block these ICMP messages - especially on any outward facing routers.

I would really ask them about the request to turn off IDS - which strikes me as asking you to take a step backwards in terms of security.

And I would suggest to them that a IPSec VPN connection from their site to your site would be a much more prudent solution than just granting unrestricted access from their address space.

HTH

Rick

HTH

Rick

Thanks for the reply. You have pretty much validated my responses. A nailed-up VPN is a much better idea. I do understand the urgency to pass the PCI scan but common sense should not be tossed aside. Thanks again.

Bud

It has been a surprise to most (me included) but within the PCI requirements it specifies that you must disable any IPS functionality you have for the scan vendor. The idea is that an IPS should only used to mitigate issues until they can be solved.

Now if they are asking you to allow "unrestricted access" from their IP (ANY:ANY) that is an entirely different matter and not a requirement for the external PCI scan AFAIK. It may be a requirement or option for your internal scan however.

For what it's worth, if you feel what they are asking you to do is out of line, you can also take it up with your PCI auditor and/or your bank since they are the final stop for any PCI related audit material.

In the desire to be compliant, the CFO decided to allow the requested access. I have experienced this before at a retail client and am curious to see the results. Thanks for your comments.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: