One of our sites just failed a PCI scan for not blocking ICMP type 13 and 14 packets (timestamp). The firm that conducted the scan also is asking us to turn off IDS and allow unrestricted access to their external IP address. I am inclined to deny this and cannot understand why this will help. Anyone have any similar experiences with this ?
While I feel that ICMP type 13 and 14 (timestamp and timestamp reply) are not so very dangerous, I also appreciate the Security perspective that says the less you reveal about your devices (especially to outsiders) the more secure you are. I would hope that the timestamp issue was not the only reason that the site failed the PCI scan. I would probably go ahead and block these ICMP messages - especially on any outward facing routers.
I would really ask them about the request to turn off IDS - which strikes me as asking you to take a step backwards in terms of security.
And I would suggest to them that a IPSec VPN connection from their site to your site would be a much more prudent solution than just granting unrestricted access from their address space.
Thanks for the reply. You have pretty much validated my responses. A nailed-up VPN is a much better idea. I do understand the urgency to pass the PCI scan but common sense should not be tossed aside. Thanks again.
It has been a surprise to most (me included) but within the PCI requirements it specifies that you must disable any IPS functionality you have for the scan vendor. The idea is that an IPS should only used to mitigate issues until they can be solved.
Now if they are asking you to allow "unrestricted access" from their IP (ANY:ANY) that is an entirely different matter and not a requirement for the external PCI scan AFAIK. It may be a requirement or option for your internal scan however.
For what it's worth, if you feel what they are asking you to do is out of line, you can also take it up with your PCI auditor and/or your bank since they are the final stop for any PCI related audit material.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...