0

We've started having Trustwave do monthly PCI network vulnerability scans. The last couple months we've passed, but this month it failed for "Scan Interference Detected." This is their recommendation:

During the course of the scan, TrustKeeper detected a change in its ability to communicate with some services on the remote host. In some cases, this may be caused by network security devices actively blocking the vulnerability scan, which it may perceive as a threat. In other cases, an intermediate network device, or the host itself, may be unable to cope with the vulnerability scan.

It's often very difficult to tell the difference between these two scenarios, but in either case, this behavior significantly impacts the ability of this vulnerability scanning service to detect vulnerabilities on the remote host, resulting in an inconclusive vulnerability assessment. The PCI ASV Program Guide 1.0 requires that PCI ASV scan customers have a scan performed on all in-scope hosts without interference from IDS/IPS; if such interference is detected, then the ASV is required to fail the scan. Examples of products and devices that provide active measures that may interfere with the scan are firewall and intrusion detection systems (IDS) with active countermeasures, intrusion prevention systems (IPS), web-application firewalls (WAF), and distributed-denial of service (DDoS) mitigation products.

In order to achieve a conclusive vulnerability assessment of the remote host, the products and devices responsible for interfering with this scan may need to be temporarily configured to permit scanning without interference. This normally takes the form of adding the IP addresses of this scanning service to the "whitelist" of the product or device. Please ensure the following network blocks have full, unobstructed, access in order to more accurately perform a vulnerability scan: 204.13.201.0/24, 64.37.231.0/24.

I'm not exactly sure how to whitelist them. I set up a couple address objects in the WAN zone, but I'm not sure what to apply it to. I tried turning off "Stealth Mode" (due to an associated complaint of over 60,000 open ports, which is impossible) and I even went as far as to turn off IPS (I turned off protection but left on detection because I don't want to leave us totally exposed). However, the scans are still failing.

It does seem a bit ridiculous to turn off security in order to test security, but apparently that's now a normally accepted thing for PCI scans.

I've opened a support ticket with them, but the first guy I talked to had no idea what to do other than reading the same information I already had, and I'm waiting for a call back from their "scanning team." I'm hoping someone here has already figured this out on a Sonicwall and can help me better.

Community
  • 1
atariguy
  • 160
  • 1
  • 8

2 Answers2

0

Include the provided ranges in the various exclusion lists. More precisely, you had to excluded the provided ranges from:

  • IPS/IDS
  • Application Firewall
  • Content Filter
  • Antivirus/Antispam
  • Application Control
shodanshok
  • 44,038
  • 6
  • 98
  • 162
  • Thanks. Some of those seemed unnecessary (Content Filter?) but I gave it a try. It still failed for the same given reason. – atariguy Jul 10 '15 at 20:47
  • Hi, some security services have non-obvious relation, so I suggested to exclude the remote range from all of them. Just after trying (the failing) connection, do you see anything in the logs? If not, can you check that your logs are correctly collected? (do a check on the log->categories and log->setting page). – shodanshok Jul 11 '15 at 05:31
  • It's not really a failing connection that's the problem. It's a remote vulnerability scan that they claim is being interfered with (which actually means the firewall is doing its job, but apparently that's beside the point). And of course the logs are full of all kinds of associated activity during the scan, but nothing helpful without knowing what's happening on their end. I was just hoping someone here had solved a similar problem. – atariguy Jul 13 '15 at 15:11
0

I ended up fixing this problem by switching to a different company. SecurityMetrics had no trouble with our network. (And I never did hear back from Trustwave with anything helpful.)

atariguy
  • 160
  • 1
  • 8