mailing list archives
RE: Nessus Scan
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 16 Aug 2007 19:57:44 -0700
Thanks for the response Craig. A couple of notes below
No actually you are incorrect. PCI-DSS is not pass/fail. It is:
- Scan issue found - adequate compensating controls exist
- Compensating controls exist but are inadequate
Either of the top 2 are acceptible.
I'm aware of this, I used generic PASS/FAIL for brevity.
As for the IPS, Page 4 - Security Scanning Procedures v 1.1
"13. Arrangements must be made to configure the intrusion
detection system/intrusion prevention system (IDS/IPS) to
accept the originating IP address of the ASV. If this is not
possible, the scan should be originated in a location that
prevents IDS/IPS interference"
This is what bugs me about compliance-driven security. It could be worse
(SOX anyone?) but while PCI is very explicit in most areas, the grey areas
suck and/or cause confusion. My day job is for a very large mobile
communications company. The auditors either made a decision that this wasn't
relevant or ignored it completely.
Try Qualys and IBM (ISS)... They say differently, or at least don't mention
it. Since PCI external quaterly scanning has been required (Q1 2006), not
*once* has request been made to whitelist the scanning source IP on our IPS.
Based on that experience I mistakenly assumed that whitelisting/bypassing
IPS was not required. Especially when you consider that most ASV's utilize
the Qualys tool to perform PCI testing as its reporting structure meets PCI
compliance guidelines. You would think Qualys themselves would have ensured
that the scan process was per PCI guideline.
The idea is that the scan should test the underlying controls
and not be solely reliant on the IDS/IPS device. The scanning
vendor has to have you add them as a trusted host or filter
your IP for the scan - it is a part of the test - it is a
part of the compliance requirement. The PCI standard is
designed to ensure that your site meets the minimum without
the IPS. The IPS may then in some cases be a compensating control.
Again, we've received conflicting information. I'll have to look into this
to make sure we've got our butts covered.
And if you are reliant on the IDS/IPS alone to stop the scan,
then as these are generally signiture based devices, you are
open to new attacks.Hence the requirement to scan sans IPS.
Agreed. Layered security is the goal. PCI is just a process to reach it.