Penetration Testing mailing list archives

RE: VISA/Mastercard PCI Vendor Scanning requirements

From: "Michael Scheidell" <scheidell () secnap net>
Date: Fri, 3 Mar 2006 18:21:17 -0500

-----Original Message-----
From: Derek Nash [mailto:ddnash () gmail com] 
Sent: Thursday, March 02, 2006 9:52 PM
To: pen-test () securityfocus com
Subject: VISA/Mastercard PCI Vendor Scanning requirements


For those of you who are providing PCI certified scanning how 
are you complying with the requirement that "The vendor 
should ensure that it has an unfiltered communication path to 
the customer's environment." in order to avoid "Internet 
Service Provider Blocked Ports" that could "result in 
misleading report conclusions."


At least it means not to use a consumer (home) cable modem or dsl
connection that the ISP may block certain 'bothersome' port.

Some ISP's block ports such as 25, 111, 12345, 445, 139, etc to block
spamming from infected hosts, spreading worms via infected hosts, etc.

In fact, a 'vpn' may give false positives, since you have more access to
the clients network than a normal, unprivileged user.

Example:  a vpn may be able to access tcp port 445 on a web server, (or
tcp port 80) and get netbios based information not available on the only
port opened to the public (say, port 443).

A vpn might access internal tcpip stacks (with predictable sequence
numbers).etc.

On interesting thing, they do suggest that to avoid IPS or automated ip
shunning, that the target network whitelist your ip addresses.

One thought is that it is more efficient to run the first set of
automated scans than actually do what a hacker might do ('0wn' 125,000
zombies to scan from).

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------

Current thread:

VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 03)
- Re: VISA/Mastercard PCI Vendor Scanning requirements John Kinsella (Mar 04)
- <Possible follow-ups>
- RE: VISA/Mastercard PCI Vendor Scanning requirements Shenk, Jerry A (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
  - Re: VISA/Mastercard PCI Vendor Scanning requirements Derek Nash (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Michael Scheidell (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)
- RE: VISA/Mastercard PCI Vendor Scanning requirements Craig Wright (Mar 04)