PCI VA Scan results and port traffic

floridanativ
Here to help

PCI VA Scan results and port traffic

We recently had all 28 of our network scanned for vulnerabilities as part of our annual PCI audit.  We have the same model MX and the same firewall rules in place on all 28 networks.  The findings were interesting.  Almost exactly half of the networks failed the scan due to vulnerabilities for TCP traffic on port 80.

 

port 80 fails.JPG

 

 

 

 

 

 

 

 

If my firewall rules are all the same, and the devices on the network are 95% the same, why would half of the networks fail the scans and the other half pass?

 

Why doesn't IDS or IPS see the port scanning and block it?

 

I'm sure there are a million variables that could cause the pass/fail variances between theoretically identical network configs, despite that any ideas would be helpful.

 

 

6 REPLIES 6
jdsilva
Kind of a big deal

Your scan is probably being triggered by the Local Status Page on the MX. 

 

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

 

You can disable it under Network-wide > General if you're not using them. 

 

There was a security vuln with these pages last year as well. Are all your MX on the same version? 

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

SoCalRacer
Kind of a big deal

Are there webserver or webservices behind those networks that failed? Vulnerability could be found with those applications/services and not the MX, if it allowing the traffic needed.

This was a scan from the outside right?  And the MX's have a NAT from the outside to a server on the inside?

 

As @SoCalRacer says, this is probably an issue on those servers.

@PhilipDAth yes scan from the outside, no NAT to server on the inside, in fact no servers on this network.

no web servers or failing web services

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels