1

I have questions regarding the PCI DSS requirements for quarterly external vulnerability scans by an ASV, specifically what public IPs I need to include in these scans.

The organization is a retail chain store (the questions pertain to the brick-and-mortar portion - not their eCommerce). There are no public facing services in any of the brick-and-mortar locations, other than for internal business needs (such as remote access [with 2FA], etc.).

My questions:

1) Some locations have external load balancers, to which several Internet lines connect (different ISPs). All these Internet lines are mapped to the same external interface of the perimeter firewall and are thus governed by the exact same firewall rules. So from a security perspective, scanning one of these IPs should be sufficient, but is this allowed per PCI DSS 3.0 (or 2.0)?

2) There are MPLS routers which do have public IPs, but they are not reachable from outside the MPLS. Do they need to be scanned?

3) There are routers that provide backup VPNs for the MPLS which have public IPs that only accepts connection from the MPLS network (no ping, all ports filtered). Do they need to be scanned?

4) There are public IPs mapped to internal managed Intrusion Detection System (IDS) devices, which are only accessible to our IDS provider (both through IP & port restrictions in the perimeter firewall as well as through the security of the IDS devices). Do they need to be scanned?

Zek
  • 568
  • 3
  • 10
  • 24

2 Answers2

1

These are questions you need to ask your assessor (or program manager if there's one leading the project).

Their opinion is the only one that matters.

  • This is an SAQ-D - with no assessor involved. Further, the times in the past when I have asked different QSAs for interpretation of unclear points on the SAQ-D, I have often wound up with as many different answers as number of QSAs I asked. Since this is a self-assessment, I tend to think it would be the PCI council's opinion that matters if something were to happen. But I was still hoping to get some guidance from someone who has more experience and knowledge in this area than I do. – Zek Jan 08 '14 at 03:33
0

I have spoken to an ASV as well as a QSA (from different companies), and the answer seems to be that you need to scan them all.

Reasoning for each point in my post:

1) In case of a reconfiguration in the future, the public IPs might get mapped differently.

2) In case of a misconfiguration, they might become reachable (but I am not sure if this is even possible with an MPLS network)

3) See # 2 (but here the possibility of a misconfiguration is more real)

4) A misconfigured white-list might open the IPs for the IDS devices up to more than just the IDS provider.

Zek
  • 568
  • 3
  • 10
  • 24