Meraki

Community

PCI VA Scan results and port traffic

floridanativ
Here to help
‎Jan 7 2020 8:54 AM
‎Jan 7 2020 8:54 AM

PCI VA Scan results and port traffic

We recently had all 28 of our network scanned for vulnerabilities as part of our annual PCI audit.  We have the same model MX and the same firewall rules in place on all 28 networks.  The findings were interesting.  Almost exactly half of the networks failed the scan due to vulnerabilities for TCP traffic on port 80.

 

port 80 fails.JPG

 

 

 

 

 

 

 

 

If my firewall rules are all the same, and the devices on the network are 95% the same, why would half of the networks fail the scans and the other half pass?

 

Why doesn't IDS or IPS see the port scanning and block it?

 

I'm sure there are a million variables that could cause the pass/fail variances between theoretically identical network configs, despite that any ideas would be helpful.

 

 

0 Kudos
6 Replies 6
jdsilva
Kind of a big deal
‎Jan 7 2020 9:00 AM
‎Jan 7 2020 9:00 AM

Your scan is probably being triggered by the Local Status Page on the MX. 

 

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Using_the_Cisco_M...

 

You can disable it under Network-wide > General if you're not using them. 

 

There was a security vuln with these pages last year as well. Are all your MX on the same version? 

 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki

http://blog.brokennetwork.ca | @jdsilva
0 Kudos
SoCalRacer
Kind of a big deal
‎Jan 7 2020 9:02 AM
‎Jan 7 2020 9:02 AM

Are there webserver or webservices behind those networks that failed? Vulnerability could be found with those applications/services and not the MX, if it allowing the traffic needed.

In response to SoCalRacer
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Jan 7 2020 10:43 AM
‎Jan 7 2020 10:43 AM

This was a scan from the outside right?  And the MX's have a NAT from the outside to a server on the inside?

 

As @SoCalRacer says, this is probably an issue on those servers.

0 Kudos
In response to PhilipDAth
floridanativ
Here to help
‎Jan 7 2020 2:00 PM
‎Jan 7 2020 2:00 PM

@PhilipDAth yes scan from the outside, no NAT to server on the inside, in fact no servers on this network.

0 Kudos
In response to SoCalRacer
floridanativ
Here to help
‎Jan 7 2020 1:59 PM
‎Jan 7 2020 1:59 PM

no web servers or failing web services

0 Kudos
In response to floridanativ
SoCalRacer
Kind of a big deal
‎Jan 7 2020 2:08 PM
‎Jan 7 2020 2:08 PM

Might check some of these resources

 

https://documentation.meraki.com/MX/Client_VPN/MX_Security_Audit_Failed_-_Recommended_Steps

 

https://documentation.meraki.com/MR/Other_Topics/PCI_Compliance_with_Meraki

 

https://documentation.meraki.com/zGeneral_Administration/Privacy_and_Security/Privacy_Concerns_and_R...

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.