Re: PCI

[Sam Hooker <samuel.hooker () UVM EDU>]

Unless I've missed something, the DSS (2.0) itself doesn't precisely
define the "network vulnerability scans" referred to under requiremet
11, at least not with respect to host discovery. On page 13 of the PCI
"Approved Scanning Vendors Program Guide"[1] (v1.0, dated March of 2010)
though, I find the following, under "ASV Scan Solution – Required
Components":

'Perform host discovery

The ASV scan solution must make a reasonable attempt to identify live
systems, including live systems that do not respond to ICMP echo
("ping") requests.'


Presuming the same standard applies to your internal scans, the question
then becomes: What constitutes "reasonable"?


Cheers,

-sth

[1]https://www.pcisecuritystandards.org/documents/asv_program_guide_v1.0.pdf

--
Sam Hooker | samuel.hooker () uvm edu
Systems Architecture and Administration
Enterprise Technology Services
The University of Vermont


On 20110627 11:44 , John Ladwig wrote:
> DSS 2.0 clarifies that RFC1918 may be used in the CDE, *or* you may use global addresses, but then MUST NOT advertise 
> those networks to the global Internet.  That latter is certainly doable for v6 networks, such as they exist.  There's 
> still the nagging issue of almost no commercial gear implementing NAT66, which would also impact the ability to use 
> Unique-local addressing for the CDE hosts.
>
> Fortunately, my world seems to have no particular interest in moving to v6 in general, much less in our in-scope 
> environments.
>
>    -jml
>
> > > > "Curtis, Bruce" <Bruce.Curtis () NDSU EDU> 2011-06-27 10:01 >>>
>
> On Jun 27, 2011, at 9:41 AM, Jacobson, Dick wrote:
>
> > I attended a IPv6 seminar last week and am wondering if I heard something correctly. This did not register with me 
> > until after the seminar and  since the seminar I have been looking for an email address for Johannes Ullirich (the 
> > instructor), but have not found one, and asked a few people around here about this.  I have not been able to get a 
> > half-way-confident answer so I am bringing the question here.
> >  
> > I think I heard that on an IPv6 network, you can not be PCI compliant because (I think) the size of the address 
> > space makes it impossible to scan in a timely manner, as required. 
> >  
> > Does this question make sense ?  Any comments/thoughts for me ?
>
> There are several things about PCI that do not make any sense.
>
>   For example PCI requires that a network implement NAT.  Since there is no NAT in IPv6 PCI appears to have it's head 
> in the sand about the future of the Internet.  PCI does have some provisions for compensating methods so perhaps 
> there is a way around the NAT requirements but it just seems silly that PCI has not considered the implications of 
> IPv6.
>
>   I'm less familiar with the PCI requirements on scanning but I have heard that there were issues with NIST or other 
> government agency requirements and scanning but they may have made progress on those issues by now.
>
>   Essentially it is impossible to scan all of the IPv6 addresses in a subnet from a remote host that is not on that 
> subnet.  If the scan of an IPv6 subnet is performed from that subnet then there may be ways of scanning all active 
> IPv6 hosts on that subnet.
>
> http://www.ietf.org/rfc/rfc5157.txt 
>
> ---
> Bruce Curtis                         bruce.curtis () ndsu edu 
> Certified NetAnalyst II                701-231-8527
> North Dakota State University

Attachment: signature.asc
Description: OpenPGP digital signature