1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Whitelist IP Range in Asus IPS / Active Protection System / Firewall for Retail POS PCI Compliance

Discussion in 'General Network Security' started by Adam Siemiginowski, Dec 7, 2018.

  1. Adam Siemiginowski

    Adam Siemiginowski Occasional Visitor

    Joined:
    Sep 3, 2017
    Messages:
    29
    Hey All!

    I must allow Trustwave (a 3rd party compliance scanner for retail POS for credit cards) Whitelisted Access to our router and network, so that they can complete a scan of our network for PCI Compliance on our network hosting a retail POS accepting credit cards.

    Currently, my ASUS RT-AC87U blocks all incoming traffic, SO, they cannot enter the network and do a complete PCI security scan.

    I do not see an option to whitelist them, as they requested in the message directly below. Any advice?

    They advised I could explain that there is no way to whitelist them, which I have tried for several months, and they still are pushing to get access.

    Best,
    Adam

     
  2. ColinTaylor

    ColinTaylor Part of the Furniture

    Joined:
    Mar 31, 2014
    Messages:
    8,263
    Location:
    UK
    I think they are referring to this. So in the context of your router they would be talking about Asus' AiProtection potentially blocking their connection attempts. What they are not talking about is your router's firewall (unless perhaps its "DoS protection" is being triggered).

    https://www2.trustwave.com/rs/815-RFM-693/images/Updating_a_Scan_Target_Host_Not_Detected.mp4

    Have you tried turning off AiProtection or looking in it's logs whilst they are doing their scans?

    It might be worth asking them whether their scanning will work on networks that are behind a NAT (which I assume yours is).
     
    Last edited: Dec 7, 2018
  3. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    30,226
    Location:
    Canada
    So to test your security, they want you to disable your security solution?

    "I need to test your firewall, please make sure your firewall whitelists us so we can bypass it".

    After my first recent experience with a PCI compliance procedure, I am less than impressed by the whole thing, which sounds almost like a scam in itself, some of the requirements being flat out irrealistic (and doing very little in some case security-wise).
     
    Adam Siemiginowski likes this.
  4. Adam Siemiginowski

    Adam Siemiginowski Occasional Visitor

    Joined:
    Sep 3, 2017
    Messages:
    29
    I am still working to resolve this.

    Trustwave closes any open dispute to a scan failure every month - when a new automatic scan occurs. This is their stated policy.

    If you report a dispute a week after the scan, and Trustwave has not asked all their questions before the next cycle, they close your dispute. This is their stated pol

    In September, for example, they sent me the 5th email for the month on the 26th, and the automatic scan occurred on the 29th, so all my work was closed. (Emails 3-5 were the same question, regarding whitelisting my IPS - which I said I could not - hence my original post above.)

    The problem here is that Upserve POS hires Trustwave to complete the PCI scan. They have no financial incentive to improve the process, if its users are not PCI Compliant, they charge them $20/month. I am not sure if this eliminates any of their liability due to data leaks, if they were to occur, which if is does, its an additional revenue stream that also provides insurance.

    Do you have any stories about Trustwave or PCI Compliance with Upserve POS? Or another supplier?
     
  5. Adam Siemiginowski

    Adam Siemiginowski Occasional Visitor

    Joined:
    Sep 3, 2017
    Messages:
    29
    I have not volunteered to turn off my IPS while they do a scan, in order to protect my network and assets. This would be a last resort - and is a good suggestion for that. I will review the logs during their next scan, and report back here.

    I will ask if their scanning works on networks behind a NAT, after they stop asking me for more details on my IPS. (See my thread response directly above this - if they don't complete their due diligence before the next automatic scan, my open dispute gets closed - and we start over. I'm not going to spend a week - their typical response time - to ask them a question and slow them down further.) I will ask them once I have a passing result.