DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

PCI Compliance

  • robertb24
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
06 Mar 2012 09:30 #71476 by robertb24
PCI Compliance was created by robertb24
I have a Vigor 3300 and have to perform a PCI scan for our online payments.
The scan keeps reporting that port 161 (SNMP) is open and needs addressing. I have updated the firmware on the 3300 to the latest version as it said you could disable SNMP.
How do you actually disable it as I can see no selection in the GUI to do it?

thanks for help

Rob

Please Log in or Create an account to join the conversation.

More
08 Mar 2012 09:11 #71511 by voodle
Replied by voodle on topic Re: PCI Compliance
It should be under System > Access Control, you'd see the tickbox on there. If not, maybe check with draytek support if they've got a specific firmware to help with that.

Please Log in or Create an account to join the conversation.

More
26 Mar 2012 09:45 #71675 by ahxcjb
Replied by ahxcjb on topic Re: PCI Compliance

robertb24 wrote: I have a Vigor 3300 and have to perform a PCI scan for our online payments.
The scan keeps reporting that port 161 (SNMP) is open and needs addressing.Rob



Ignore it. SNMP is often a critical resource on networks. How else are you expected to get information from the devices?

Please Log in or Create an account to join the conversation.

  • robertb24
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
26 Mar 2012 10:13 #71678 by robertb24
Replied by robertb24 on topic Re: PCI Compliance
The PCI compliance would not complete with this open. Draytek have provided some new firmware and created some additional rules for me which has now made it compliant.
You also cannot ignore what the scan says :

Description: SNMP is enabled and may be vulnerable Severity: Potential Problem CVE: CVE-2002-0012 CVE-2002-0013 CVE-2002-0053 Impact: If a vulnerable implementation of SNMP is running, a remote attacker could crash the device, cause the device to become unstable, or gain unauthorized access. Resolution For the HMAC length 1 security bypass vulnerability, [http://www.net-snmp.org/download.html] update to NET-SNMP 5.4.1.1, 5.3.2.1, 5.2.4.1, 5.1.4.1, 5.0.11.1, or UCD-snmp 4.2.7.1 or get updates for other products from your vendor. There are a number of measures which can be taken to reduce the risk of this vulnerability being exploited. Apply a [http://www.cert.org/advisories/CA-2002- 03.html#vendors] patch from your vendor if one is available. (IRIX users should also refer to [ftp://patches.sgi.com/support/free/secur ity/advisories/20020201-01-P] SGI Security Advisory 20020201-01-P, and Sun users should also refer to [http://sunsolve.sun.com/pub-cgi/retriev e.pl?doc=secbull/219] Sun Security Bulletin 219 for patch information.) Change all community strings to non-default strings which are difficult to guess. Block access to UDP ports 161 and 162 at the network perimeter. Disable the SNMP service on machines where it can be disabled and is not needed. There are a number of additional precautions which should also be taken wherever possible: Filter SNMP traffic from unauthorized internal hosts Segregate SNMP traffic onto a separate management network Block incoming and outgoing traffic (ingress and egress filtering) on ports 161, 162, 199, 391, 705, and 1993, both TCP and UDP Block incoming traffic destined for broadcast addresses and internal loopback addresses Disable stack execution For more information on these precautions, see [http://www.cert.org/advisories/CA-2002- 03.html] CERT Advisory 2002-03. Vulnerability Details: Service: snmp

Please Log in or Create an account to join the conversation.

More
04 Apr 2012 08:08 #71784 by cjard
Replied by cjard on topic Re: PCI Compliance
Oh, what a load of crap PCIDSS truly is

"If a vulnerable implementation of SNMP is running, a remote attacker could crash the device, cause the device to become unstable, or gain unauthorized access"

I'd like the PCI council to show me any internet service where that does not apply - is the PCI scan OK with the router running a web server? Cos a vulnerable impl of that could allow an attacker to break in and upload a custom firmware that steals passwords, inserts trojans into downloads and copies credit card numbers.... Rolleyes@PCIDSS hypocrisy

Please Log in or Create an account to join the conversation.

More
04 Apr 2012 13:10 #71792 by drummerjohn
Replied by drummerjohn on topic Re: PCI Compliance
So true... PCI is the biggest money spinning waste of time I have ever encountered. All leveraged by the banks.

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami