Home page logo

basics logo Security Basics mailing list archives

RE: Nessus Scan
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 16 Aug 2007 19:57:44 -0700

Thanks for the response Craig. A couple of notes below 

No actually you are incorrect. PCI-DSS is not pass/fail. It is:
   - Pass
   - Scan issue found - adequate compensating controls exist
   - Compensating controls exist but are inadequate
   - Fail
Either of the top 2 are acceptible.

I'm aware of this, I used generic PASS/FAIL for brevity.

As for the IPS, Page 4 - Security Scanning Procedures v 1.1 
"13. Arrangements must be made to configure the intrusion 
detection system/intrusion prevention system (IDS/IPS) to 
accept the originating IP address of the ASV. If this is not 
possible, the scan should be originated in a location that 
prevents IDS/IPS interference"

This is what bugs me about compliance-driven security. It could be worse
(SOX anyone?) but while PCI is very explicit in most areas, the grey areas
suck and/or cause confusion. My day job is for a very large mobile
communications company. The auditors either made a decision that this wasn't
relevant or ignored it completely.

Try Qualys and IBM (ISS)... They say differently, or at least don't mention
it. Since PCI external quaterly scanning has been required (Q1 2006), not
*once* has request been made to whitelist the scanning source IP on our IPS.
Based on that experience I mistakenly assumed that whitelisting/bypassing
IPS was not required. Especially when you consider that most ASV's utilize
the Qualys tool to perform PCI testing as its reporting structure meets PCI
compliance guidelines. You would think Qualys themselves would have ensured
that the scan process was per PCI guideline.

The idea is that the scan should test the underlying controls 
and not be solely reliant on the IDS/IPS device. The scanning 
vendor has to have you add them as a trusted host or filter 
your IP for the scan - it is a part of the test - it is a 
part of the compliance requirement. The PCI standard is 
designed to ensure that your site meets the minimum without 
the IPS. The IPS may then in some cases be a compensating control.

Again, we've received conflicting information. I'll have to look into this
to make sure we've got our butts covered.

And if you are reliant on the IDS/IPS alone to stop the scan, 
then as these are generally signiture based devices, you are 
open to new attacks.Hence the requirement to scan sans IPS.

Agreed. Layered security is the goal. PCI is just a process to reach it.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]