Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PCI Scan

Good Morning All

One of our sites just failed a PCI scan for not blocking ICMP type 13 and 14 packets (timestamp). The firm that conducted the scan also is asking us to turn off IDS and allow unrestricted access to their external IP address. I am inclined to deny this and cannot understand why this will help. Anyone have any similar experiences with this ?

Thanks in advance. Bud....

4 REPLIES
Hall of Fame Super Silver

Re: PCI Scan

Bud

While I feel that ICMP type 13 and 14 (timestamp and timestamp reply) are not so very dangerous, I also appreciate the Security perspective that says the less you reveal about your devices (especially to outsiders) the more secure you are. I would hope that the timestamp issue was not the only reason that the site failed the PCI scan. I would probably go ahead and block these ICMP messages - especially on any outward facing routers.

I would really ask them about the request to turn off IDS - which strikes me as asking you to take a step backwards in terms of security.

And I would suggest to them that a IPSec VPN connection from their site to your site would be a much more prudent solution than just granting unrestricted access from their address space.

HTH

Rick

New Member

Re: PCI Scan

Thanks for the reply. You have pretty much validated my responses. A nailed-up VPN is a much better idea. I do understand the urgency to pass the PCI scan but common sense should not be tossed aside. Thanks again.

Bud

New Member

Re: PCI Scan

It has been a surprise to most (me included) but within the PCI requirements it specifies that you must disable any IPS functionality you have for the scan vendor. The idea is that an IPS should only used to mitigate issues until they can be solved.

Now if they are asking you to allow "unrestricted access" from their IP (ANY:ANY) that is an entirely different matter and not a requirement for the external PCI scan AFAIK. It may be a requirement or option for your internal scan however.

For what it's worth, if you feel what they are asking you to do is out of line, you can also take it up with your PCI auditor and/or your bank since they are the final stop for any PCI related audit material.

New Member

Re: PCI Scan

In the desire to be compliant, the CFO decided to allow the requested access. I have experienced this before at a retail client and am curious to see the results. Thanks for your comments.

237
Views
10
Helpful
4
Replies