Help understanding network vulnerability scan results

[Big Jim]

As i have a card machine connected via ethernet, I have to perform a network scan as part of my compliance.
Its an online portal, I login give it my IP then a couple of hours later it throws the results at me.

It found 31 vulnerabilities, 10 of which have caused me to fail my audit.
9 out of the 10 were related to port 443, so I set a firewall rule in the router to block 443 completely, ran the test again and I am still getting the exact same results.
The problem is I do not understand the results one bit, for example see attached.

I am using a draytek Vigor 2850N router.
i run 3 seperate Vlans
1 for our internal network
1 for customer network
1 solely for the card machine

 

[seedubya]

Can you tell me more about your network please? Do you have a Windows server running IIS internally? What IP\hostname did you run the scan against? The errors you're seeing are normally associated with 56 bit encryption on IIS, AFAIK, which is confusing me.

 

[Markverhyden]

Are you sure you are scanning the sites usable IP('s) and not the gateway. A common error is to put in the gateway address. You cannot change any settings for the gateway address as that is controlled by the ISP. Seem to remember there was a recent thread that was similar. The gateway was being used instead of the actual usable IP.

 

[TurricanII]

Use grc.com to do a shields up scan and check for port 443 being open. Disable ssl vpn on the Vigor. Disable remote managemeìnt if enabled. Check the port forwards, open ports and dmz server. A rogue setting here exposing 443 may bypass the firewall rules. I also set the draytek default rule to block- it defaults to allow all traffic which renders the firewall virtually useless unless you put a manual block rule.

If all looks well then check your firewall rule. Should be wan to lan/dmz/vpn and should block tcp traffic TO destination port 443. The source port should be left at 1 to 65535 (any source port). If you put 443 in the source port it will not work properly.

 

[OaksLabs]

I'd guess that it's seeing a HTTPS external management (on either the gateway, or the router). It probably sees the self signed certificate, and since routers rarely get firmware updates, it's probably using old protocols too.

I'd suggest a firmware update for the router (if available). That might not actually fix the issue though. You can also change the management port (put it to something above 1024) and if you don't need remote management (WAN side), you might have the option to turn that off.

 

[Big Jim]

Can you tell me more about your network please? Do you have a Windows server running IIS internally? What IP\hostname did you run the scan against? The errors you're seeing are normally associated with 56 bit encryption on IIS, AFAIK, which is confusing me.

I have a windows server (2008 R2) but I double checked and IIS is not running
The router is a draytek Vigor 2850n, if you are not familiar with it, it is highly configurable (way above my skillset) so if settings need changing there is a good chance that it can be done in that router

Are you sure you are scanning the sites usable IP('s) and not the gateway. A common error is to put in the gateway address. You cannot change any settings for the gateway address as that is controlled by the ISP. Seem to remember there was a recent thread that was similar. The gateway was being used instead of the actual usable IP.

Not sure what you mean by usable IP and gateway IP
I obtained the IP address from my routers config screen, it would be the same ip address that I get from a site such as http://whatismyipaddress.com/

Might be worth mentioning I am on a dynamic IP (purely because I don't need static)

 

[Markverhyden]

I have a windows server (2008 R2) but I double checked and IIS is not running
The router is a draytek Vigor 2850n, if you are not familiar with it, it is highly configurable (way above my skillset) so if settings need changing there is a good chance that it can be done in that router


Not sure what you mean by usable IP and gateway IP
I obtained the IP address from my routers config screen, it would be the same ip address that I get from a site such as http://whatismyipaddress.com/

Might be worth mentioning I am on a dynamic IP (purely because I don't need static)

If you don't mind PM me a screen shot of the config screen. Having a dynamic IP is irrelevant so to speak for this matter.

 

[HCHTech]

Having a dynamic IP is irrelevant

Agree - You will need to confirm what the current IP at the time is and input it when you schedule the future quarterly scans, though.

 

[Markverhyden]

Agree - You will need to confirm what the current IP at the time is and input it when you schedule the future quarterly scans, though.

True. My customers that have it are monthly and it's automated. So I have them all on fixed IP's.

 

[TurricanII]

Browse to https://your.ip.address with Internet Explorer. VIew the ceritifcate details to see where it is coming from. Then you know which device is exposed at least. You can easily find the SSL VPN setting (to disable it) and easily check the open ports screens - disable the rule for 443

 

[Big Jim]

browsing to my IP either from internal computer or external lands me at my router login page.

VPN is not enabled.
As far as I can tell the router is on the latest firmware. (3.6.8_RC2)

If you don't mind PM me a screen shot of the config screen. Having a dynamic IP is irrelevant so to speak for this matter.

which config screen do you want a shot of ? (there are lots)

 

[Big Jim]

Browse to https://your.ip.address with Internet Explorer. VIew the ceritifcate details to see where it is coming from. Then you know which device is exposed at least. You can easily find the SSL VPN setting (to disable it) and easily check the open ports screens - disable the rule for 443

This could be it, HTTPS internet access control is enabled.
I will go and hunt for the setting now and turn it off, its not allowing me in anyway.

 

[Big Jim]

Sorted, it was SSL VPN on the router.
Have attested and am now "compliant"

Thanks guys

 

[Markverhyden]

browsing to my IP either from internal computer or external lands me at my router login page.

VPN is not enabled.
As far as I can tell the router is on the latest firmware. (3.6.8_RC2)

which config screen do you want a shot of ? (there are lots)

LOL!!! I'm sure there are. I'm looking for what they have for a public IP and gateway. But when I was looking online I realized that these are DSL's so that might be different. Been ages since I've done DSL. But with cable, fiber, and others I can always see what I need. Meaning even if it's public dynamic I'll see the gateway as well as the assigned public IP somewhere in the modem/router. Of course if it's static that's not an issue. Many devices have a connection info/status page.

 

[Big Jim]

Failed another scan but this time it is the following error
Microsoft Windows Server 2003 Unsupported Installation Detection

I am running 1 server on 2012 Hyper-v with several VMs, the earliest of which is 2008 R2, but mostly 2012.

Any ideas what this could be ?

 

[HCHTech]

I hate PCI scans. No or conflicting information from different vendors, no guidance on problems, just "you failed - fix it". Did you pass your quarterly scans from 9/17 through 9/18? If so, then either something changed on your end (possible, but unlikely you wouldn't know about it) or something changed with the scan (likely - good f$cking luck figuring it out). Also very possible that it's a mistake or problem in their code - again, you won't get any information to help from them. Just to turn over that rock, give the scanning vendor a call and report the error message and the seemingly related fact that "I don't have Server 2003". See if they have any suggestions - but I doubt it. What? No, I'm not bitter at all!

 

[Moltuae]

As i have a card machine connected via ethernet

What type of card machine?

If the card machine uses Point to Point Encryption (P2PE) and you do not in any way retain/intercept/hold card details, you may not need to perform a port scan (See 'Understanding the SAQs for PCI DSS' attached). When you complete the SAQ (Self Assessment Questionnaire) there's usually a 'profile' to complete which will determine (based on your answers) whether it is necessary for your network to comply with the security standard.

 

[Big Jim]

I spoke to them on the phone today, they are saying that the scan possibly picked up a "signature" from one of my other VMs and has mistaken it for a 2003 signature.
Asked me a bunch of questions about my network layout, I explained that the card machine has its own VLAN and the server has nothing to do with card processing.
The confirmed that was sufficient all i need to do now is upload a copy of my network map and state what OSes are running on my server.
The only issue with this is that I don't have a network map as it is such a simple network (3 Vlans, 1 for us, 1 for card machine and 1 for customer machines. our network has a total of 3 machines on it, 1 of those being the server)

I have just paused the 2008 R2 VM and ran the scan again, hoping that it will pass without me having to try and work out how to create a network map.

 

[HCHTech]

The confirmed that was sufficient all i need to do now is upload a copy of my network map and state what OSes are running on my server.

Yes, until next quarter, when the scan will fail again and you have to do the dance all over again. Let us know if you manage to get a passing scan

 

[Big Jim]

No luck so far, paused the 2008 R2 VM
tried blocking the 3 Ip addresses to that particular VLAN (but I don't think that worked for some reason)
Still getting the same error.

Any free tools that will create an easy simple network map that I can upload ?