This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to pass PCI Compliance scan when RED (tcp/3400) uses a weak cipher?

Our recent PCI Compliance scan came back failed because the RED service uses RC4-SHA. This is also one of the issues that the scanning company (Trustwave, who is used by our credit card processor, FirstData) will not allow to be overridden. If this is the opinion of a major credit card processor such as FirstData, you can assume that this is the opinion that much of the industry is going to have soon.

The ciphers used by RED aren't configurable, and the RED service is conspicuously absent from Sophos' SSLv3 mitigation document (https://community.sophos.com/kb/en-US/121509). I've already contacted premium support, and their response was basically, "we're aware of the issue." (Of course they're still selling RED devices as a secure means of extending your network.) They offered no advice on mitigation, other than the implied advice to wait for the patch...which any long time customer know could mean anything.

Since my remote locations that use RED have static IPs, I attempted to just add firewall rules to fix this (only allowing my IPs, drop all others). Except that RED communication must be handled prior to firewall rules, so they're completely ignored.

So the only thing left I can think of, is to go out and purchase another firewall to put in front of the UTM. Certainly not the conversation I'd like to have with those that approve large purchases such as that.



This thread was automatically locked due to age.
Parents
  • Hi, Jon, and welcome to the new UTM Community!

    Check #2 in Rulz. You'll see that you want DNATs instead of firewall rules.  You will want to NoNAT the IPs you allow and then DNAT packets from "Internet" to a non-existent IP.

    It's hard to imagine that Support didn't suggest this.  Please PM me with your ticket number.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hi, Jon, and welcome to the new UTM Community!

    Check #2 in Rulz. You'll see that you want DNATs instead of firewall rules.  You will want to NoNAT the IPs you allow and then DNAT packets from "Internet" to a non-existent IP.

    It's hard to imagine that Support didn't suggest this.  Please PM me with your ticket number.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children