Wrvs4400n pci compliance

I'm keep failing my pci compliance test I have a wrvs4400n and I keep getting "firewall udp packet source port 53 ruleset bypass" i've blocked port 53 but keep getting rejected. any ideas on how to set the router? thanks

Hi jefftreece and welcome to the Cisco Home Community!
The WRVS4400N is handled by the Cisco Small Business Support Community.
For discussions about this product, please go here.
https://supportforums.cisco.com/community/netpro/small-business
The Search Function is your friend.... and Google too.
How to Secure your Network
How to Upgrade Routers Firmware
Setting-Up a Router with DSL Internet Service
Setting-Up a Router with Cable Internet Service
How to Hard Reset or 30/30/30 your Router

Similar Messages

  • Failing PCI Compliance Scan - SSL Weak...

    Hello,
    I currently use the WRVS4400n v2 (latest update) for my small business. I store and transmit data that contains credit card information and need to be PCI compliant. Regardless of which settings I change on the router, like turning off remote management, I keep failing the scan. ControlScan uses Nessus and the results are below (2 vulnerabilities).
    I did some research and spent some time with Cisco Sales Chat and they recommended a ASA5500 only to realize that it too had the same vulnerabilities. I did more research and it seemed that the SA520w (I need wireless) would do it but I found a thread on this forum saying that a client who had the SA520w did not pass the scan failed due to SSL vulerability (need v3+ ?). The thread is at https://supportforums.cisco.com/thread./2060512
    Question: What router/appliance should I use to be PCI compliant? Three has to be something, we're talking, this is Cisco.
    Thank you in advance for your help,
    Christophe
    Threat ID: 126928
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Weak Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 126928
    Information From Target:
    Here is the list of weak SSL ciphers supported by the remote server :
    Low Strength Ciphers (< 56-bit key)
    SSLv2
    EXP-RC2-CBC-MD5            Kx=RSA(512)   Au=RSA     Enc=RC2(40)      Mac=MD5    export    
    EXP-RC4-MD5                Kx=RSA(512)   Au=RSA     Enc=RC4(40)      Mac=MD5    export    
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of weak
    ciphers.Details:
    The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all.
    Threat ID: 142873
    Details:
    IP Address: XX.XXX.X.XXX
    Host: XX.XXX.X.XXX
    Path:
    THREAT REFERENCE
    Summary:
    SSL Medium Strength Cipher Suites Supported
    Risk: High (3)
    Type: Nessus
    Port: 60443
    Protocol: TCP
    Threat ID: 142873
    Information From Target:
    Here are the medium strength SSL ciphers supported by the remote server :
    Medium Strength Ciphers (>= 56-bit and < 112-bit key)
    SSLv2
    DES-CBC-MD5                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=MD5   
    SSLv3
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    TLSv1
    DES-CBC-SHA                Kx=RSA        Au=RSA     Enc=DES(56)      Mac=SHA1  
    The fields above are :
    {OpenSSL ciphername}
    Kx={key exchange}
    Au={authentication}
    Enc={symmetric encryption method}
    Mac={message authentication code}
    {export flag}
    Solution:
    Reconfigure the affected application if possible to avoid use of
    medium strength ciphers.Details:
    The remote host  supports the use of SSL ciphers that offer medium strength encryption,  which we currently regard as those with key  lengths at least 56 bits  and less than 112 bits.

    Chris,
    As i understand right now none of the Small Business router are PCI compliance ever since PCI 3.0 was released. How you overcome this; you'll need to forward any ports you are failing on to a ghost IP.. Ghost ip (any ip address that isn 't being used) If you are using those ports , then you will lose that service as the router isn't PCI 3.0 compliant.
    Jason
    I do believe the ASA5505 are PCI 3.0 Compliant.

  • SAP Short Dumps and PCI Compliance

    We've run into an issue with our PCI Compliance audit around being able to see unencrypted credit cards in short dump messages in SAP.  Has anyone run into this issue?
    Only work around I've got at this point is to restrict all access to short dumps and require many documented signoffs before turning on and off access to a short dump.  This is pretty cumbersome, and still leaves a hole in my overall security.
    We've managed to purge restricted CC data from our XI logging, and done everything right with encryption, but this short dump issue just doesn't seem to have a solution.
    Can anyone help?  We're on 6.0.
    Thanks!

    Hi David,
    This is an interesting situation you have described. ABAP short-dumps or run-time errors as they are also known as, are unhandled exceptions during program execution. The conditions that cause such exceptions is unknown or cannot be handled at run-time. To help analyze what went wrong with the said program during execution, it is necessary for the dump to contain all possible information including data values passed between programs when the error occurs. Encryption of restricted data values is a program step in itself. If the dump were to occur after this step then of course it would contain encrypted CC info. Unfortunately in your case it exposes restricted CC info because the dump occurs BEFORE this step.
    I don't believe there is a way to prevent this from happening -- for the same reason that the program logic does not know at run-time how to "handle" the exception. If occurrences of such dumps is fairly common in your system, you may want to investigate the likely causes -- for example, missing or incorrect customization. Analyzing the short dumps will probably give you a clue. Your customization team may be able to identify a pre-condition that causes this unhandled exception. If this exception can then be handled (via a program change) that returns a meaningful error instead of a short dump you would be able to close the security hole. This however entails modification to SAP standard code. I don't usually recommend such changes, but given the sensitive nature of your data it may be worth consideration.
    I personally advocate restricted access to ST22. The steps you have undertaken to enforce this may be cumbersome despite efforts to keep it simple. I suppose that's the price we pay in administering the system. If you have not already done so, you may also want to ensure that short-dumps that contain restricted CC info are not saved (using the "Keep" feature in ST22) for easy retrieval at a later point in time or they are saved, it be available only to 'restricted eyes'. Short-dumps are normally saved in the system for 7 or 14 days (not sure of exact # of days). The bigger challenge in my opinion is: How do you prevent the restricted info from being viewed by the user who during the course of program/transaction execution encounters the said short dump? No amount of security controls around ST22 will mitigate this risk. The only option that remains is program change (as mentioned above). But to get there you first need to know what causes the exception.
    Regards.
    Ashutosh

  • Pci compliance for very small biz using mac and ipad

    I run a very SMALL business. We have one MacBook an iPad and an iPhone. We run everything through a second party merchant card processor/software (mindbody). However, according to the PCI compliance survey I just finished, I am supposed to run quarterly internal scans for vulnerabilities. Does antivirus software do this?
    Also, what firewall settings do I need on my mac to be PCI compliant?
    I know this may be a very simple question, but the PCI survey assumes everyone has an IT department with a ton of policies and procedures. Trying to figure out how to be compliant as a super small business without all that infrastructure.

    Anti-virus software would not do PCI vulnerability scanning. You need specialized software to do that. Unfortunately, I cannot recommend specific software. My wife's small business was wrestling with PCI issues some time ago, and they're currently not doing any kind of internal scans. I don't know why not. They do get scanned externally periodically, to look for vulnerabilities in their setup that could allow people outside their network to gain access.
    PCI compliance is a scam anyway. It doesn't prevent the numerous breaches that so many high-profile companies have been facing lately, and you can bet they're dotting their i's and crossing their t's with respect to PCI compliance. They have the budget to do so.
    Your Mac should not need the firewall on. That shouldn't affect PCI compliance, if the Mac is properly configured and does not have any services open in System Preferences -> Sharing.

  • Patching vulnerabilities for PCI compliance

    Hi
    My Apple Profile Manager server has failed a PCI compliance scan, due to the vulnerabilities listed below. The OS and the software are patched to the highest level, but its still failing
    What do i need to do to be able to resolve these? If i can't patch them by Thursday, i'll have to shut down the server
    SSL/TLS use of weak RC4 cipher                                                            CVE-2013-2566         
    OpenSSL Multiple Vulnerabilities (OpenSSL Security Advisory 20140806)    CVE-2014-3512         
                                                                                                                   CVE-2014-3511
                                                                                                                   CVE-2014-3510
                                                                                                                   CVE-2014-3507
                                                                                                                   CVE-2014-3508:
                                                                                                                   CVE-2014-5139:
                                                                                                                   CVE-2014-3509:
                                                                                                                   CVE-2014-3505:
                                                                                                                   CVE-2014-3506
    Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day     CVE-2007-6750

    If your running OS X 10.9.2 as your message indicates then you are not patched to the highest level. (By a long way.)
    OS X 10.9.5 plus Security Update 2014-005 would give you all the current patches for Mavericks. If you upgraded to Yosemite and Server.app 4.0 you would get some further updates. (Server 4.0 would have to be purchased although Yosemite aka. OS X 10.10 itself is free.)
    Even with all of those I suspect some of the issues you list will not be patched. In theory you could manually compile and install patches but this is generally a very bad idea as you will then break compatibility with Apple's own software such as the server configuration tool Server.app and likely break Profile Manager completely and if you use it the Wiki module.
    If you want complete control over patching the software then OS X is not going to let you do this with out as mentioned above severe consequences. Only Linux gives you that level of control. Arguably Windows gives you even less control than OS X as in Windows it is all closed source (Microsoft) software.

  • WRT610n help with PCI compliance issue ICMP timestamp

    I'm having a issue with ICMP times stamps and pci compliance, they keep saying it is allowing timestamps, but my firewall shows it not checked, I see no particular option on the router to disable timestamp
    again I have a wrt610n ver 2 router
    anyone run into this?
    i sure could use some help
    Thanks!

    Did you tried to upgrade/re-flash the firmware on your linksys router.

  • CF 7 PCI compliance issue

    There is a security flaw in the wildcard ISAPI DLL in CF7 - Documented here:
    http://blogs.msdn.com/asiatech/archive/2009/03/13/why-private-ip-address-is-still-leaked-o n-iis-server-even-after-applying-fix-834141.aspx
    Is there an update to this ISAPI DLL that fixes this issue?
    Thanks.

    Jochem,
    You wrote:
    >So configure a Host header in your IIS website.
    I wish it was easy as that.
    Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
    Enable the DLL and the private IP headers are leaked.
    >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
    That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
    It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
    The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
    "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

  • Rv082 fails PCI compliance test scan

    The rv082 v2 with firmware 2.0.2.01-tm fails PCI compliancy scans for the following vulnerability:
    tcp (tcp/1)
    TCP reset using approximate sequence number
    CVE-2004-0230
    Is there any fix for this?  Configuration change?  Future firmware fix?
    Thanks,
    dr

    Is the self-signed certificate the only certificate on the server? If so, get yourself a certificate from a reliable 3rd-party certificate authority. DigiCert's a good source, and a lot less expensive than others (like VeriSign).
    You're always going to have the self-signed cert on the server, but the only place it will be used is for intra-organizational SMTP sessions.
    --- Rich Matheisen MCSE&I, Exchange MVP

  • Skype Causing PCI Compliance Failure

    Hi,
    As part of my business, I have to undergo PCI Data compliance scans every 3 months. Everything has been okay, but I recently failed a scan, and received this message:
    Description: Skype for Windows < 5.8.0.154 Unspecified Vulnerability (uncredentialed check) Synopsis: The remote Skype install has an unspecified vulnerability. Impact: According to its timestamp, the version of Skype installed on the remote Windows host reportedly has an as-yet unspecified vulnerability.
    The suggested "Resolution" is to 'Upgrade to Skype for Windows 5.8.0.154 or later.'
    I am running Wndows on VMWare Fusion on my Mac. Initially, I deleted Skype altogether from Windows and updated Skype on my MAC OS X, and still received the same message So I reinstalled the latest version of Skype for Windows, and STILL received a fail on the scan.
    Is there some way to fix this? It looks like resolving this issue will fix up all the problems I've been having. Any help would be greatly appreciated.

    Hi there ... your post was a long time ago, but wondered if you managed to solve the problem of Skype clients causing PCI compliance to fail?  We are going through the same issues at the moment, all Skype clients updated, yet we are still failing every test.  If you managed to find a fix, would be great to know!  Cheers.

  • Privacy: PCI compliance, etc

    Hi,
    I'm creating a privacy policy for my MUSE website, can you help answer these questions. I have free basic site with my membership:
    1) Is your website getting regular security scans that meet or exceed PCI Compliance standards?
    2) Is your website receiving regular malware scans?
    3) Does your website have and use an SSL certificate?
    If any are no, can you tell me what it takes to upgrade to a yes?
    Thanks,
    Anita

    I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

  • CCX PCI Compliance

    Hi All,
    I am looking to achieve PCI compliance for my networking infrastructure, which includes CCX, currently runnng version 4.1 with IVR being used for credit card authentication. Not really sure where to start on this, so if anybody has any pointers on how the requirements for PCI compliance translates to what we actually need to do to the server, that would be much appreciated.
    Rgds

    I just had a conversation with Trustwave and they are going to disable this check while they figure out a detection without this false positive, so your scans should be fine now. Thank you Trustwave for such a quick response and turn around!

  • APPLSYSPUB and PCI Compliance

    PCI Compliance documentation requires us to change all vendor-supplied default passwords.
    Oracle says in 'Best Practices for Securing Oracle E-Business Suite' that it recommends that you NOT change the default password for APPLYSYSPUB. (Appendix C).
    So what is a company to do? Do we change it or not?

    If by "logs" you mean the signature events the IPS Sensor generates, then the answer is mostly yes.
    The Sensor has a circular buffer for event storage. It will keep these event until they are overwritten.
    How quickly they are overwritten is a factor of buffer size, event size, packet capture options, etc (there was a forum thread on this very topic you can search for)
    If you are concerned about keeping event logs, you can install the free IME server and pull events from the sensor. If you are REALLY concerned about getting events logs you can stand up two IME servers (they will cost you some sensor overhead though) and keep them on your host, instead of your senor. Each sensor can support up to 5 devices (I think) pulling events.
    - Bob

  • PCI compliance scans failed with Sophos UTM

    From one of my training guides

    We have a Sophos UTM and use some RED devices at a few remote offices. We have just completed our quarterly PCI compliance scans and we are failing now due to port 3400 accepting SSL RC4 Cipher Suites. I've opened a ticket with Sophos' support to see if they could provide documentation that this is a false positive or provide some other solution. Their response thus far has been advising us to make a feature request @ feature.astaro.org. Obviously not the response we are looking for.My question is has anyone run into something like this before? How did you address the issue?My only thought at this point is to replace the RED devices at the remote offices and utilize another type of vpn. This is not the most desirable option as it means flying someone out to the remote offices and a network restructure. If anyone has some better...
    This topic first appeared in the Spiceworks Community

  • PCI Compliance Issue

    I'm trying to make our Exchange 2013 server PCI compliant.  TO do this, I've turned off SSL2 and 3, PCT1, and TLS 1.0.  
    When I turn off TSL1.0, none of our Outlook clients can connect.  Is there a change I need to make somewhere so they use TLS1.1 or above?
    N00b here, so I may have the terminology wrong.
    Thanks.

    Jochem,
    You wrote:
    >So configure a Host header in your IIS website.
    I wish it was easy as that.
    Doing that works fine without the wildcard dll enabled. Unfortunately without it enabled, the CF process fails.
    Enable the DLL and the private IP headers are leaked.
    >2. I fail to see where the PCI specifiction says said behaviour is non-compliant.
    That link is no where near a full compilation of the reasons that a site would fail PCI compliancy.
    It makes sense that one would fail under the circumstances that the private IP address is being leaked. That does present some potential issues for hackers to try and take advantage of.
    The specific PCI rejection is below. The article that they quote in their rejection does not correct the issue as it is specifically related to the DLL.  As mentioned in the link in the very first post of this thread, the issue is readily evident by turning on/off the DLL requirement. Unfortunately our sites require it.
    "Synopsis :  This web server leaks a private IP address through its HTTP headers.   Description :  This may expose internal IP addresses that are usually hidden or masked behind a Network Address Translation (NAT) Firewall or proxy server.   There is a known issue with IIS 4.0 doing this in its default configuration. This may also affect other web servers, especially on a misconfigured redirection.  See also :  http://support.microsoft.com/support/kb/     articles/Q218/1/80.ASP See the Bugtraq reference for a full discussion.  Risk Factor:  Medium  / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) CVE : CVE-2000-0649 BID : 1499 Other references : OSVDB:630   "

  • PCI Compliance and sessionid

    A recent scan of an ecommerce site I've developed and hosted
    on a shared server at CrystalTech has failed a PCI compliance test
    recently. It previously passed them.
    The report says that sessionids are predictable and therefore
    insecure. This threatens my relationship with the credit card
    companies. The good folks at CrystalTech have not been helpful yet.
    Is anyone familiar with this issue or have valuable thoughts?
    Interestingly, Securitymetrics calls it "Allaire Coldfusion".
    Man, are they out of date.

    It's a faulty report. Refer them to the following URL:
    http://livedocs.adobe.com/coldfusion/8/htmldocs/help.html?content=sharedVars_06.html

Maybe you are looking for

  • Warp stabilizer cropping/position issue?

    So I don't think I've ever had this issue and I'm wondering if has to do with using it on a 13" macbook, since i've never had this issue on my iMac, but when I place the warp stabilizer effect the clip turns into a small cropped corner like so in the

  • User exist for controlling the OutPut type in sales order

    Hi Is their any exist which controls the output type based on header data of the order? VA01/02. Best regards Satish Kumar K

  • My reviews don't get published on the app store

    I have found a few brilliant apps. So I decided to review them, but when I tried I cannot see my reviews anywhere. It's annoying because I have so many good things to tell and help the fellow users, but the store won't let me.

  • Problem with the installation of Third party softwares

    Hi I've installed Windows server 2008 R2 Enterprise Edition on my server. Installation was successful. Now I've problem with installing third party Applications. While installing one of the IBM product on my machine it's throwing an error in the midd

  • My itunes libary says its on another computer and it isn't

    I have gone to sync some new songs and as i have logged in my playlists have all gone. When i try to connect and sync it says the libary is on another computer which it isn't as this PC im using is the PC my ipod is connected to. How do i get it back