Basic steps to check before going for a PCI test

01/24/2024 204 People found this article helpful 398,774 Views

Description

Who needs a PCI compliance test?

PCI DSS came about to ensure proper standards were in place to secure all organizations with credit/debit cards.

What does the PCI DSS secure?

Employees, visitors, services, and technology that your business involves around can have physical, mobile or online payment from major card brands. PCI DSS mainly focuses on securing your credit card data that is stored, processed, or transferred to trusted card vendors.

PCI compliance requirements:

Secure network - maintain a firewall and unique (non-vendor supplied) password
Protect card-holder data - encryption of data stored and/or transmitted
Vulnerability program - endpoint anti-virus, anti-malware software and always with the latest patch
Access control - limit details, identify access and/or restrict physical access
Tracking and monitoring - periodic monitoring and testing of security systems and cardholder data
Information security - implement clear policies and processes to everyone regarding the seriousness and significance

Resolution

This KB explains the basic and best Practices for administrators managing SonicWall Firewall Appliances to increase the overall security of an end-to-end architecture. Please be advised these are designed with the most common errors that we see regularly.

Always be on the latest firmware release. A new patch is released to clean a bug, remediate the vulnerability, better process handling, new feature, and so forth. How can I upgrade SonicOS Firmware?
Change admin default name and password. How can I change the administrator password?
Disable all unsecured port access (HTTP, RDP, SSH) from an untrusted zone. Disable HTTP management access on all WAN zones and change the HTTPS port from the default (TCP 443) to custom (say TCP 8443) How can I change the HTTP and HTTPS management ports
Make timely backup. Document and label each backup, this will help you to roll back to a good known state. How can I save a backup settings file from a SonicWall firewall? and How can I create cloud backup of SonicWall settings?
Security services. Gateway anti-virus, IPS, Anti-spyware need to be enabled as explained in Common configurations to protect against Ransomware
Enable Stealth mode to not respond (RST or DENY packet) to port scans. Stealth Mode

Most common PCI compliance failure reports:

SSL self-signed certificates on port TCP 443. Even if you are using a secured port 443 HTTPS, a self-signed certificate will be a security threat if the Management page is accessed from WAN. How do I generate a new SSL certificate from my SonicWall firewall? The certificate will have a domain name that needs to be resolved to the public IP of SonicWall
HTTP Security Header Not Detected - Upgrade firmware to the latest. The HSTS error is fixed. How can I upgrade SonicOS Firmware?
General remote services on port TCP 4433. SSL VPN Certificate self-signed certificate. How to upload a CA signed certificate to SSL VPN service?
TLSv1.1 is supported - the latest browsers have all disabled TLSv1.1 and SSLv3 Disable TLS 1.1 Support
SSL Certificate has an IP Address as the Common Name. The certificate used in HTTP web management or SSL VPN has an IP address instead of FQDN in the Common Name (CN) field. Obtain a certificate with an FQDN as its CN or Subject Alternative Name
Subject Common Name Does Not Match Server FQDN. Obtain a certificate whose Subject Common Name (CN) or Subject Alternative Name (SAN) matches the FQDN used to access it. For example, if the scan is being done using the FQDN www.example.com, the certificate must have its CN or SAN as www.example.com or *.example.com.
SSL Certificate - Signature Verification Failed Vulnerability This error occurs when the certificate in the HTTP web management or SSL VPN is signed by an unknown Certificate Authority (CA). In most cases, this happens when the CA is private. For example, a Windows CA. Obtain a certificate signed by a public CA.
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode. UDP 500 is for all types of IPsec VPN tunnels, which includes the WAN GroupVPN (GVC) connections. Please increase the complexity of the shared secret by including special characters, numbers, and don't include any patterns. A digital certificate is the most secure option available with WANGroup VPN.
Use 2FA for any login - IPsec VPN client, SSL VPN client or HTTPS admin login. How to configure two-factor authentication using TOTP for HTTPS Management and How do I configure 2FA for SSL VPN with TOTP? Two factor authentication using RSA Radius and SecurID for SonicWall GVC
Restrict inbound access. Do not allow inbound access over unsecured ports like HTTP, FTP, SSH, RDP and so forth. Wherever possible have source-based access rules. How to Configure Access Rules

For more information on vulnerabilities and the impact on your device, please visit the Vulnerability List published by SonicWall. This has details about the CVE, impacted products and the fix

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Basic steps to check before going for a PCI test

Description

Who needs a PCI compliance test?

What does the PCI DSS secure?

PCI compliance requirements:

Resolution

Most common PCI compliance failure reports:

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch