Alert Logic® is an approved Payment Card Industry (PCI) Scanning vendor. Through the Alert Logic console, you can schedule quarterly external scans that are required for PCI compliance.
How PCI Scans Work
Alert Logic External PCI scanning is different from internal and external vulnerability scanning in that it includes a web application heuristic scan in addition to the standard FusionVM scan engine. In this mode, the crawler will try to make heuristic-based decisions on which parameters should be considered as action parameters. It will intelligently fetch the parameters in order to conduct an effective scan.
This results in a large number of different variations, and therefore the scanner will launch a high number of security checks against the website. This scanning mode is the most efficient and accurate, and is required to be compliant with PCI-DSS requirements.
Time Required for Scanning
The time required for External PCI scanning varies depending on the size and complexity of the target website, the response time of the web server, and the PCI Scan Intensity. The default intensity is Normal, but this can be increased or decreased at the customer’s request. Therefore, the web scanning may vary from a few minutes to several hours.
During External PCI scanning, Alert Logic Scanners will send thousands, sometimes even hundreds of thousands, of HTTP requests to the target website. The longer the server takes to send a response back to the scanner, the longer it would need to wait idle until it receives the said response. A typical good web server response time is about 200 milliseconds or less.
The number of requests would depend on the number of files, directories, forms, variations, and inputs that need to be tested. Therefore, the more complex and the larger the website is, the longer the scan will take. In addition, we are required to test for many different vulnerabilities with different variations for each vulnerability. Therefore, for example, the same page will be tested for XSS and for SQL Injection. Also, for each vulnerability type (i.e. XSS), there are several different tests that check the target website for that type of vulnerability.
Improving Scan Run-Time
There are several things you can check to potentially reduce the amount of time an External PCI scan takes.
Web Server Performance
Check factors such as CPU, memory, hard disk access, and other resources. Most often, a simple server upgrade may solve the problem.
Check CPU, memory, and hard disk access in relation to the resources being used by the database. Additionally, check if any queries are taking too long to execute and if these can be optimized. Also, review the error logs related to the database for any additional information around what the scan was testing at the time.
Web Application Firewall (WAF), Intrusion Detection System (IDS), or Network Firewall Interference
Check if any of these systems are being used and if they are contributing to the high increase of your average response time. This may be the case since every incoming request on your web server will be thoroughly analyzed, thus increasing the response time. A lot of times, the scan will seem like it is hung. During ports and services discovery, the Scanner occasionally runs into hosts that will report every single (or lots of random) ports as open. Obviously, this is because something in front or on the target host is replying with SYN, ACKs for every SYN sent. This behavior is sometimes referred to as “Tarpitting”. A Tarpit is a service generally found on IDS/IPS and Firewalls as well as servers that delay or shroud incoming connections. Basically, when port scanning, the scanner gets stuck for hours, days, or even months trying to get past it. We suggest that customers whitelist our Scanning IPs for any of these security mechanisms so that requests and responses pass through unhindered.
To help reduce the scan duration, you may consider running the scan with a difference in PCI Scan Intensity. The default number of parallel connections is 10, while the maximum can be set to 25. But you may find that this configuration might not suit your needs. There are some cases where the Scan Speed should be put on a lower setting. While this seems counter-intuitive for shortening scan times, there are times where the target server cannot handle the number of requests from a normal scan. This could congest the web server with requests, thus increasing the time to send back a response. A slower scan speed might mitigate this if your web server cannot keep up with the number of requests being sent by the Scanner. On the other hand, if your web server can easily handle multiple requests at the same time, using the Fast PCI Scan Intensity setting would improve the scan duration.
Please note that increasing the number of parallel HTTP requests can also result in flooding or overloading the web server with HTTP requests, which can exponentially increase the response time from the web server. Therefore, before making such changes, ensure that the target web server can handle the increase in load.
Cloud WAF / Content Delivery Network
We have seen customers using CloudFlare and Incapsula for Content Delivery Network (CDN) capabilities. CloudFlare and Incapsula are more than just a CDN. They also provide a WAF for their customers. As a result, if our scanning IPs are not on the CloudFlare/Incapsula whitelist, customers may experience a long-running scan or a scan that is not progressing at all. We ask that customers whitelist our Scanning IPs for any similar security mechanisms so that requests and responses pass through unhindered.
The following are CloudFlare ports:
- 2096 tcp
- 2083 tcp
- 2082 tcp
- 8880 tcp
- 2052 tcp
- 2087 tcp
- 2086 tcp
- 2095 tcp
- 8080 tcp
- 8443 tcp
If you need justification for a PCI Fail dispute, contact the CDN vendor for the mitigation control. For example, Incapsula has more information that can be found in their Open Ports Found in PCI Compliance Testing article.