Whitelist IP Range in Asus IPS / Active Protection System / Firewall for Retail POS PCI Compliance

[Adam Siemiginowski]

Hey All!

I must allow Trustwave (a 3rd party compliance scanner for retail POS for credit cards) Whitelisted Access to our router and network, so that they can complete a scan of our network for PCI Compliance on our network hosting a retail POS accepting credit cards.

Currently, my ASUS RT-AC87U blocks all incoming traffic, SO, they cannot enter the network and do a complete PCI security scan.

I do not see an option to whitelist them, as they requested in the message directly below. Any advice?

They advised I could explain that there is no way to whitelist them, which I have tried for several months, and they still are pushing to get access.

Best,
Adam

In order to obtain a passing scan result you need to make sure that your IPS is not interfering with our scan results.

You can achieve that by whitelisting our IPs:

64.37.231.0/24 (64.37.231.1 through 64.37.231.254)

in your IPS. Please mind that this whitelisting should be done only in the active protection systems, you do not need to open up your firewall on top of that.

Alternatively, in case your network is configured in a way that will not allow our scanner to scan your network regardless of your IPS settings, that is also perfectly fine and you welcome to explain that in a dispute.

 

[ColinTaylor]

I think they are referring to this. So in the context of your router they would be talking about Asus' AiProtection potentially blocking their connection attempts. What they are not talking about is your router's firewall (unless perhaps its "DoS protection" is being triggered).

https://www2.trustwave.com/rs/815-RFM-693/images/Updating_a_Scan_Target_Host_Not_Detected.mp4

Have you tried turning off AiProtection or looking in it's logs whilst they are doing their scans?

It might be worth asking them whether their scanning will work on networks that are behind a NAT (which I assume yours is).

 

[RMerlin]

So to test your security, they want you to disable your security solution?

"I need to test your firewall, please make sure your firewall whitelists us so we can bypass it".

After my first recent experience with a PCI compliance procedure, I am less than impressed by the whole thing, which sounds almost like a scam in itself, some of the requirements being flat out irrealistic (and doing very little in some case security-wise).

 

[Adam Siemiginowski]

I am still working to resolve this.

Trustwave closes any open dispute to a scan failure every month - when a new automatic scan occurs. This is their stated policy.

If you report a dispute a week after the scan, and Trustwave has not asked all their questions before the next cycle, they close your dispute. This is their stated pol

In September, for example, they sent me the 5th email for the month on the 26th, and the automatic scan occurred on the 29th, so all my work was closed. (Emails 3-5 were the same question, regarding whitelisting my IPS - which I said I could not - hence my original post above.)

The problem here is that Upserve POS hires Trustwave to complete the PCI scan. They have no financial incentive to improve the process, if its users are not PCI Compliant, they charge them $20/month. I am not sure if this eliminates any of their liability due to data leaks, if they were to occur, which if is does, its an additional revenue stream that also provides insurance.

Do you have any stories about Trustwave or PCI Compliance with Upserve POS? Or another supplier?

 

[Adam Siemiginowski]

Have you tried turning off AiProtection or looking in it's logs whilst they are doing their scans?

It might be worth asking them whether their scanning will work on networks that are behind a NAT (which I assume yours is).

I have not volunteered to turn off my IPS while they do a scan, in order to protect my network and assets. This would be a last resort - and is a good suggestion for that. I will review the logs during their next scan, and report back here.

I will ask if their scanning works on networks behind a NAT, after they stop asking me for more details on my IPS. (See my thread response directly above this - if they don't complete their due diligence before the next automatic scan, my open dispute gets closed - and we start over. I'm not going to spend a week - their typical response time - to ask them a question and slow them down further.) I will ask them once I have a passing result.