Scan of Hardened IP Address
AnsweredWe have a need to run PCI scans against a small office.
All the computers (five in total) in the office are behind a small NAT box.
The NAT device is hardened.
Scans come back failing because nothing is open:
Alert Logic Inc. has determined that the scanned system(s) are not compliant with the PCI Data Security Standard. The scan result shows that no target hosts were found.
How would/should we proceed with the scanning? We want the scan to say, "nothing open, nothing vulnerable!" and instead it says, "fail!"
Thanks in advance.
-
Official comment
Rick -
We recommend that you whitelist our PCI scanners from your firewall to ensure an accurate scan can be conducted. Below are some excerpts from customer-facing resources that should help!
From our Running External PCI Scans knowledge base article:
Web Application Firewall (WAF), Intrusion Detection System (IDS), or Network Firewall Interference
Check if any of these systems are being used and if they are contributing to the high increase of your average response time. This may be the case since every incoming request on your web server will be thoroughly analyzed, thus increasing the response time. A lot of times, the scan will seem like it is hung. During ports and services discovery, the Scanner occasionally runs into hosts that will report every single (or lots of random) ports as open. Obviously, this is because something in front or on the target host is replying with SYN, ACKs for every SYN sent. This behavior is sometimes referred to as “Tarpitting”. A Tarpit is a service generally found on IDS/IPS and Firewalls as well as servers that delay or shroud incoming connections. Basically, when port scanning, the scanner gets stuck for hours, days, or even months trying to get past it. We suggest that customers whitelist our Scanning IPs for any of these security mechanisms so that requests and responses pass through unhindered.
From our PCI Scans Originating IP Addresses documentation:
The following table contains the range of IP addresses owned by Alert Logic. Alert Logic scans originate from a subset of these IP addresses, so verify make sure that your firewalls allow scanning traffic.
I hope this helps! Please let me know if you need any further information or assistance.
-
Thanks for reaching out, Rick! Hold tight while I get you a quality answer to your question.
0 -
Hi, thank you! We are good now.
1
Please sign in to leave a comment.
Comments
3 comments