Can these protocols/ciphers/attacks be blocked by MX65?

SOLVED
HOD-DBQ
Conversationalist

Can these protocols/ciphers/attacks be blocked by MX65?

PCI (Payment Card Industry) scans our network through the MX65 to check for vulnerabilities. The scan itself is intended to check the web server that is used for accepting credit card payments and identify any vulnerabilities. We however do not have a web server and of course do not accept credit card payments in that way. We have a card reader that sits in the office and is connected via a USB port to a local PC. So the purpose of the scan is really meaningless for our setup. The scans fail because we have Ports opened on the MX65 Firewall settings to allow for Remote Desktop Connections. None of these PC's ever have the card reader attached to it so that is another reason why the scans are meaningless. The scan is able to connect through these ports and establish connections using methods that are now considered security risks. What I'm trying to figure out is if I can stop these connections by disabling these at the MX65? Then our scan would not have any failures.

Here are the 4 that I want to focus on:
1. TLS 1.0
2. CVE-2016-2183 (SWEET32 attack)
3. CVE-2013-2566 (RC4 ciphers)
4. CVE-2016-0800 (SSLv2 protocol)
Can any of these be blocked at the Meraki MX65 router so they won't show as failures?

 

Thank you.

Dave

 

1 ACCEPTED SOLUTION
PhilipDAth
Kind of a big deal
Kind of a big deal

Get rid of all the port forwards and use the client VPN functionality.

 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview

View solution in original post

3 REPLIES 3
PhilipDAth
Kind of a big deal
Kind of a big deal

Get rid of all the port forwards and use the client VPN functionality.

 

https://documentation.meraki.com/MX-Z/Client_VPN/Client_VPN_Overview

The open ports method was kind of grandfathered in when we switched routers. We've always been a bit concerned about the security. We've used the VPN Clients for other access and now we will be using it completely and as you say get rid of the port forwards. I've already tested it and it works. And of course, this will also eliminate any Scan failures we would have with PCI which is what got me started in the first place. Thanks for your help.

PhilipDAth
Kind of a big deal
Kind of a big deal

pps. It is really bad if you have something that still has SSLv2 enable.  Really bad.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels