We have been asked to turn off our anti-intrusion software and allow a specific IP address unrestricted access through our firewalls by a PCI DSS compliance scanning firm engaged by our merchant services contractor.
Does this make any sense?
Asked
Active
Viewed 83 times
-2
-
1Sure. A PCI scan will look a lot like an attacker, and lots of IDSes would block it part way through the scan. This would mask real vulnerabilities that the scan might have found. – ceejayoz Jun 15 '16 at 16:24
2 Answers
4
Please, as the system/network administrator for your firm try to get in touch directly with a techie counterpart from that PCI DSS compliance scanning firm because that sounds like a lot of miscommunication and much detail getting lost in translation.
Rather than turning your intrusion prevention software completely off you should probably white-list that specific IP-address so their scans don't get actively blocked once your intrusion detection/prevention systems detects them.
As ceejayoz commented you probably want them to be able to complete their scan.
As for unrestricted access to your firewall, that also seems unlikely. Their access should be similar to ruleset that normally protects your systems, you don't need to open up more than usual but you want to prevent your IPS from blacklisting them.
HBruijn
- 77,029
- 24
- 135
- 201
1
Yes, this does make sense. The scan is intended to test for vulnerabilities in the services exposed to the Internet and not test the IPS functionality. Vulnerability scanners test these services at a very quick rate that is very "noisy" and trivial for an IPS to detect and block. True malicious attacks do not have the time restrictions that the vulnerability testers do and can run more covertly and possibly under the IPS threshold levels.
Running one test with the IPS functionality turned on and another with the IPS whitelisting the scanner IP address can provide validation that the IPS control is functioning properly.
DJ Jacket
- 46
- 1