PCI Scan failing due to RED Port 3400

Nobody has run into this? 

Bill,

it seems you are alone! [:P]

I guess that XG has the same issue/limitation like UTM. RED is the same on XG.

Let's see if sachingurung or Aditya Patel have some info regarding your issue.

Thanks

Hey Luk, it seems that I am! 

Yes, it seems the XG implements it exactly the same way as the UTM does.  I have taken a look at the workaround offered in the UTM but I am not sure that it will work for the XG.  The guidance on UTM is to create a DNAT rules but I am not sure that this will work with the XG DNAT rules.

http://xianclasen.blogspot.com/2016/02/sophos-red-and-pci-compliance.html

Uhm...

Bill, did you have a look at this KB?

https://community.sophos.com/kb/en-us/125758

This is something not available on UTM yet.

Regards

I did see that, and I have enabled TLS 1.2 on the RED configuration since I enabled it.

I will have to figure out some way to restrict port 3400 to only the WAN IP of the RED connection.  The PCI scan is always going to complain about that self signed certificate. 

Hi Bill,

PCI compliance check has to be done with approved scanning vendors by PCI security standards council to comply with the latest PCI framework requirement. Hence non-approved external PCI scanners may not comply with PCI framework due to their lack of testing against known CVE in the deployed Sophos UTM.

Here is a link for approved scanning vendors:

https://www.pcisecuritystandards.org/assessors_and_solutions/approved_scanning_vendors

RED functionality is similar in both the devices; XG and the UTM. Luk's suggestion of enforcing TLS 1.2 is something you must implement.  

Cheers-

Hi sachingurung,

In the first post I mentioned the vendor, SecurityMetrics, who did the scan.  They are an approved vendor on the list you posted, so it is not related to non-approved PCI scanning in this case. 

I have already implemented TLS 1.2 by turning it on in the RED configuration page.  The primary problem seems to be the fact that the XG/UTM uses weak ciphers.  The workarounds I have seen are for the UTM but I don't believe they will work in XG due to the way DNAT rules have to be written. 

I used this as a template:

http://xianclasen.blogspot.com/2016/02/sophos-red-and-pci-compliance.html

The difference is the XG doesn't seem to allow you to "do nothing" in the DNAT rule, you have to give it a destination or you can't create the rule.  So what I did was create a DNAT rule to allow from WAN, from the static IP my RED is on, and map port 3400 to the internal IP of the XG.  Then I cloned this rule, changed the allowed networks from the RED IP to Any, and then created a non-routable IP and sent the traffic to the black hole address.  So far it seems to be working, testing port scans from various places show the port as stealth, but the RED can connect just fine. 

sachingurung, 

I am more than sure what is Bill Roland saying is correct. Sachin, can you investigate internally and report it back ASAP?

This is a security issue that must be addressed.

Regards

Hi All,

Provide me some time to investigate and raise it internally. I will update with all the information that I can source.

Thank You