Security Basics mailing list archives
RE: Nessus Scan
From: "Erin Carroll" <amoeba () amoebazone com>
Date: Thu, 16 Aug 2007 19:57:44 -0700
Thanks for the response Craig. A couple of notes below
Hello, No actually you are incorrect. PCI-DSS is not pass/fail. It is: - Pass - Scan issue found - adequate compensating controls exist - Compensating controls exist but are inadequate - Fail Either of the top 2 are acceptible.
I'm aware of this, I used generic PASS/FAIL for brevity.
As for the IPS, Page 4 - Security Scanning Procedures v 1.1 "13. Arrangements must be made to configure the intrusion detection system/intrusion prevention system (IDS/IPS) to accept the originating IP address of the ASV. If this is not possible, the scan should be originated in a location that prevents IDS/IPS interference"
This is what bugs me about compliance-driven security. It could be worse (SOX anyone?) but while PCI is very explicit in most areas, the grey areas suck and/or cause confusion. My day job is for a very large mobile communications company. The auditors either made a decision that this wasn't relevant or ignored it completely. Try Qualys and IBM (ISS)... They say differently, or at least don't mention it. Since PCI external quaterly scanning has been required (Q1 2006), not *once* has request been made to whitelist the scanning source IP on our IPS. Based on that experience I mistakenly assumed that whitelisting/bypassing IPS was not required. Especially when you consider that most ASV's utilize the Qualys tool to perform PCI testing as its reporting structure meets PCI compliance guidelines. You would think Qualys themselves would have ensured that the scan process was per PCI guideline.
The idea is that the scan should test the underlying controls and not be solely reliant on the IDS/IPS device. The scanning vendor has to have you add them as a trusted host or filter your IP for the scan - it is a part of the test - it is a part of the compliance requirement. The PCI standard is designed to ensure that your site meets the minimum without the IPS. The IPS may then in some cases be a compensating control.
Again, we've received conflicting information. I'll have to look into this to make sure we've got our butts covered.
And if you are reliant on the IDS/IPS alone to stop the scan, then as these are generally signiture based devices, you are open to new attacks.Hence the requirement to scan sans IPS.
Agreed. Layered security is the goal. PCI is just a process to reach it.
Current thread:
- Nessus Scan mikef (Aug 15)
- Re: Nessus Scan Chris Halverson (Aug 15)
- Re: Nessus Scan Erik Luken (Aug 16)
- RE: Nessus Scan Craig Wright (Aug 15)
- RE: Nessus Scan Erin Carroll (Aug 16)
- RE: Nessus Scan Craig Wright (Aug 16)
- RE: Nessus Scan Erin Carroll (Aug 17)
- RE: Nessus Scan Erin Carroll (Aug 16)
- Re: Nessus Scan Chris Halverson (Aug 15)
- RE: Nessus Scan Michael LaSalvia (Aug 15)
- RE: Nessus Scan Serge Vondandamo (Aug 16)
- Re: Nessus Scan David Jacoby (Aug 17)
- RE: Nessus Scan Chandresh Dedhia (Aug 16)
- <Possible follow-ups>
- Re: Nessus Scan levinson_k (Aug 16)
- Re: RE: Nessus Scan mikef (Aug 16)
- Re: Nessus Scan Steve Hillier (Aug 16)
- Re: Nessus Scan mikef (Aug 16)
- Re: Nessus Scan mikef (Aug 16)