how does this work? Modems/IPs/PCI Scans



  • If you're failing PCI audits, it's likely because you have UPNP enabled on one or more firewalls, and the computers behind those firewalls are poking holes through your firewall - either that, or whomever setup the firewalls did port forwarding - OR the firewalls were hacked, and a hacker opened the ports.



  • @Dashrender Great drawing! Makes it easier to visualize.

    Good reminder on UPnP, btw! Had forgot about that one.

    UPnP is for home use and has no place in a business setting. That's the drawback with home equipment. There is a lot of stuff you need to disable and a lot of stuff you can't do at all.



  • @WrCombs The only thing the PCI firewall is doing is preventing the PC on 192 network from attacking it directly. Because it's on the 192 network, it could still act as a MiTM if it was able to shim its way in there. So the PCI network is not as protected as it could be.

    Instead the firewall/cable modem should be setup with two internal networks (if possible - which is not likely) then the 192 computer couldn't get in the middle to be a MiTM.



  • @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    Instead the firewall/cable modem should be setup with two internal networks (if possible - which is not likely) then the 192 computer couldn't get in the middle to be a MiTM.

    Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.



  • @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    It sounds like your network looks like this
    bd0e3583-7483-4178-9c35-139914964619-image.png

    This sounds like exactly what he has.

    @WrCombs said in how does this work? Modems/IPs/PCI Scans:

    then chances are it's scanning the right PC and the fail is on the FW - right?

    It is 100% impossible for a server on the public internet to scan through a NAT device without something else at play. WTF ever PCI scanner you are using on the internet is not seeing anything on the first internal network. Let alone anything on the double nat'd network.



  • @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    @WrCombs The only thing the PCI firewall is doing is preventing the PC on 192 network from attacking it directly.

    Correct

    @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    Because it's on the 192 network, it could still act as a MiTM if it was able to shim its way in there.

    Nothing on the 192 network can simply MiTM. You can easily pcap the data though.

    You could then use the knowledge gained from that to spoof DNS or IP and then begin to get data with some sort of MiTM.

    @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    So the PCI network is not as protected as it could be.

    It is not secure at all. this is a 100% fail.



  • @Pete-S said in how does this work? Modems/IPs/PCI Scans:

    Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.

    This is the only secure method.

    You have to remove any network between the internet and the PCI firewall.

    Note, you don't need VLAN. You can just use two ports like in my next post.

    69f45bc4-b8f0-4f14-b9d3-46256d47908a-image.png



  • Actual setup that I have at the site I am sitting at now.

    F02E32E6-EB02-4A64-AC58-660C84C447E0.jpeg

    Only device on PCI LAN
    CB623AFA-DF20-4D16-82B3-933A07A2AFD1.jpeg

    Firewall rules drop 100% traffic from LAN to PCI LAN and PCI LAN to LAN.



  • Here is the config for that.

    [email protected]# show interfaces 
     ethernet eth0 {
         address 12.XXX.XXX.XXX/30
         description "AT&T FIber"
         duplex full
         firewall {
             in {
                 name WAN_IN
             }
             local {
                 name WAN_LOCAL
             }
         }
         speed 100
     }
     ethernet eth1 {
         duplex auto
         speed auto
     }
     ethernet eth2 {
         address 10.202.8.1/29
         description "PCI LAN"
         duplex auto
         firewall {
             in {
                 name PCI_IN
             }
             local {
                 name PCI_LOCAL
             }
         }
         speed auto
     }
     ethernet eth3 {
         address 10.202.0.1/23
         description "FSL LAN"
         duplex auto
         firewall {
             in {
                 name LAN_IN
             }
             local {
                 name LAN_LOCAL
             }
         }
         speed auto
         vif 10 {
             address 10.202.10.1/24
             description "Guest Wireless"
             firewall {
                 in {
                     name Public_WiFi_IN
                 }
                 local {
                     name Public_WiFi_LOCAL
                 }
             }
         }
         vif 20 {
             address 10.202.11.1/24
             description "Security Cameras"
             mtu 1500
         }
     }
     loopback lo {
     }
    
     name PCI_IN {
         default-action accept
         description "Network for PCI Devices"
         rule 10 {
             action drop
             description "Block SMTP"
             destination {
                 group {
                     port-group SMTP_Ports
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 20 {
             action drop
             description "Allow access to gateway"
             destination {
                 group {
                     address-group ADDRv4_eth2
                 }
             }
             log disable
             protocol tcp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 30 {
             action drop
             description "Block Access to LAN"
             destination {
                 group {
                     address-group 10_0_0_0_8
                 }
             }
             log disable
             protocol all
         }
     }
     name PCI_LOCAL {
         default-action drop
         description "Devices on PCI Network"
     }
    
     name LAN_IN {
         default-action accept
         description "LAN in to other interfaces"
         rule 10 {
             action accept
             description "Devices Allowed SMTP"
             destination {
                 group {
                     port-group SMTP_Ports
                 }
             }
             log disable
             protocol tcp
             source {
                 group {
                     address-group Email_Servers
                 }
             }
             state {
                 established enable
                 invalid disable
                 new enable
                 related enable
             }
         }
         rule 40 {
             action drop
             description "Drop all other SMTP"
             destination {
                 group {
                     port-group SMTP_Ports
                 }
             }
             log enable
             protocol tcp
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
         rule 50 {
             action drop
             description "Drop all to PCI LAN"
             destination {
                 group {
                     address-group NETv4_eth2
                 }
             }
             log disable
             protocol all
             state {
                 established enable
                 invalid enable
                 new enable
                 related enable
             }
         }
     }
    


  • Few if any consumer level firewalls will provide the split like Jared is showing.

    But a super cheap ER-X from Ubiquiti can do this very easily, as Jared's examples show.



  • I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.



  • @scotth said in how does this work? Modems/IPs/PCI Scans:

    I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.

    This assumes you can get two ip from the isp.



  • @Dashrender said in how does this work? Modems/IPs/PCI Scans:

    @scotth said in how does this work? Modems/IPs/PCI Scans:

    I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.

    This assumes you can get two ip from the isp.

    You could also put one firewall behind the other. This happens a lot. The idea is to get the transaction(s) secure and to make absolutely sure that the PCI compliance is on the shoulders of the payment processor as much as possible. Audits are their responsibility. Remediation is their responsibility. Secure transactions are their responsibility.

    EDIT: This does not exclude you (meaning anyone) from properly securing your own environment. Put the onus where it belongs.



  • @JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.



  • @brandon220 said in how does this work? Modems/IPs/PCI Scans:

    @JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.

    That is a good way to practice this for business use