Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 1984 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ASG 220 - 7.511 - Vulnerability Scan - PCI Compliance

kellym_01
As part of our migration to a new credit card processing service - the vendor required a Vulnerability Scan to be run against our firewall (ASG 220 - 7.511).

The ASG almost escaped unscathed - other than an issue with SSLv2 (tcp/3400). Apparently our ASG220 accepted a SSLv2 connection.  SSLv2 has some known "cryptographic weaknesses" that make it no PCI compliant.  Obviously this is an old protocol...

Not sure if this is configurable - or has been resolved in newer firmware/updates (we tend to lag a bit behind the "bleeding edge" on updates).

A secondary issue also was flagged - in that the "System Responds to SYN+FIN TCP Packets"...

Any thoughts or suggestions.


This thread was automatically locked due to age.
Parents
  • 0
    Re SYN/FIN:

    I did some more testing using nmap...
    sudo nmap -v -v --scanflags SYNFIN -P0 -p80,443 

    The "Use strict TCP session handling" option seems to be working, at least on 8.x; it's dropping the incoming packets.

    However, even with "strict TCP session handling", 7.509 isn't dropping the INCOMING SYN FIN packets; it only drops the REPLIES (ACK FIN) from the server behind the firewall.

    2012:09:12-16:03:36 fw2 ulogd[3416]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" seq="0" outitf="eth0" srcip="INTERNAL SERVER" dstip="NMAP ATTACKER" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="45293" tcpflags="ACK SYN"


    Anyways, the "strict TCP session handling" should prevent the replies from getting out, which might help with the scans.

    Barry
Reply
  • 0
    Re SYN/FIN:

    I did some more testing using nmap...
    sudo nmap -v -v --scanflags SYNFIN -P0 -p80,443 

    The "Use strict TCP session handling" option seems to be working, at least on 8.x; it's dropping the incoming packets.

    However, even with "strict TCP session handling", 7.509 isn't dropping the INCOMING SYN FIN packets; it only drops the REPLIES (ACK FIN) from the server behind the firewall.

    2012:09:12-16:03:36 fw2 ulogd[3416]: id="2012" severity="info" sys="SecureNet" sub="packetfilter" name="strict TCP state" action="strict TCP state" fwrule="60009" seq="0" outitf="eth0" srcip="INTERNAL SERVER" dstip="NMAP ATTACKER" proto="6" length="44" tos="0x00" prec="0x00" ttl="64" srcport="443" dstport="45293" tcpflags="ACK SYN"


    Anyways, the "strict TCP session handling" should prevent the replies from getting out, which might help with the scans.

    Barry
Children
No Data