DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
PCI Complience
- johntillman
- Topic Author
- Offline
- New Member
Less
More
- Posts: 9
- Thank yous received: 0
04 Nov 2016 07:45 #87170
by johntillman
PCI Complience was created by johntillman
Good morning
Have a client with 14 Vigor2710n v 3.6.5_232201 and 11 Vigor2830n v2 v 3.7.8.1, Please note the 2710n use the EU firmware to allow dial in VPN. All routers use Dial in VPN as connecting to Eprom based cash registers.
The main problem we are having is the PCI complience are objecting to is allowing login via HTTPS and DrayTec routers using a "Self-signed certificate" rather than one from a "trusted third party Certificate Authority”. If we turn off allow HTTPS can no longer connect to router for remote support, only when hard wired. Is their a away round this. Do you have a certificate from a trusted third party Certificate Authority fro these routeers?
Can supply the cfg we use for both if rquired.
Have a client with 14 Vigor2710n v 3.6.5_232201 and 11 Vigor2830n v2 v 3.7.8.1, Please note the 2710n use the EU firmware to allow dial in VPN. All routers use Dial in VPN as connecting to Eprom based cash registers.
The main problem we are having is the PCI complience are objecting to is allowing login via HTTPS and DrayTec routers using a "Self-signed certificate" rather than one from a "trusted third party Certificate Authority”. If we turn off allow HTTPS can no longer connect to router for remote support, only when hard wired. Is their a away round this. Do you have a certificate from a trusted third party Certificate Authority fro these routeers?
Can supply the cfg we use for both if rquired.
Please Log in or Create an account to join the conversation.
- johntillman
- Topic Author
- Offline
- New Member
Less
More
- Posts: 9
- Thank yous received: 0
04 Nov 2016 09:12 #87172
by johntillman
Replied by johntillman on topic Re: PCI Complience
Sorry all. Got that a bit wrong The certificate bit is correct however I should have said if we turn off all remote access other than HTTPS cannot log on for remote support only hard wired. Suggestions for remote access protocols acceptable for PCI compliance. Cannot read my own notes so sorry again for the confusion.
Please Log in or Create an account to join the conversation.
- wombleh
- Offline
- New Member
Less
More
- Posts: 2
- Thank yous received: 0
16 Nov 2016 08:44 #87317
by wombleh
Replied by wombleh on topic Re: PCI Complience
SSL certs need to be generated specific to each router unfortunately!
I am not a PCI QSA but I think your options are:
- Run your own Certiificate Authority (CA) either on one of your Draytek devices or using something like OpenSSL on a PC, then sign all your routers certificates. You need to install the public key from that CA into all devices that connect to the SSL service (not too clear if it's other draytek routers ot the Eprom cash registers themselves, in which case this may not be an option? Plus your management PC). It's still self signed so will fail the PCI test but if the auditor understands technology then they should accept this approach. Best to check with them first, if they don't then you could either find another one who will or pay for certs. Guide on the Draytek side here to using a Draytek router as the CA:
http://just.draytek.com/index.php?option=com_k2&view=item&id=5774&Itemid=293&lang=en
- Obtain certificates signed by a public trusted CA, there are free ones available from letsencrypt but they only last 90 days and are best on servers with auto-update scripts which the Drayteks unfortunately don't have. You could buy one for each router at about £50 each and can last at most 3 years, there may be cheaper ones if you shop around. Guide here:
http://www.draytek.co.uk/support/guides/kb-local-certificate-management
- Use something other than HTTPS for remote management, like IPSEC VPN (but not PPTP as I doubt PCI would accept that), If your management PC is behind a draytek router and all your sites have static IPs then this might be a good way to do it, but technically complex. I've not had any luck running IPSEC from a PC to a draytek, but others might have fared better.
I am not a PCI QSA but I think your options are:
- Run your own Certiificate Authority (CA) either on one of your Draytek devices or using something like OpenSSL on a PC, then sign all your routers certificates. You need to install the public key from that CA into all devices that connect to the SSL service (not too clear if it's other draytek routers ot the Eprom cash registers themselves, in which case this may not be an option? Plus your management PC). It's still self signed so will fail the PCI test but if the auditor understands technology then they should accept this approach. Best to check with them first, if they don't then you could either find another one who will or pay for certs. Guide on the Draytek side here to using a Draytek router as the CA:
- Obtain certificates signed by a public trusted CA, there are free ones available from letsencrypt but they only last 90 days and are best on servers with auto-update scripts which the Drayteks unfortunately don't have. You could buy one for each router at about £50 each and can last at most 3 years, there may be cheaper ones if you shop around. Guide here:
- Use something other than HTTPS for remote management, like IPSEC VPN (but not PPTP as I doubt PCI would accept that), If your management PC is behind a draytek router and all your sites have static IPs then this might be a good way to do it, but technically complex. I've not had any luck running IPSEC from a PC to a draytek, but others might have fared better.
Please Log in or Create an account to join the conversation.
- admin3
- Offline
- Site Admin
Less
More
- Posts: 604
- Thank yous received: 0
16 Nov 2016 09:54 #87319
by admin3
Forum Administrator
Replied by admin3 on topic Re: PCI Complience
You could get a wildcard certificate and install that on each router, those appear to have become cheaper now (around £75 per year?). Then give each router a sub-domain to manage it.
IPSec is a good option for making a remote VPN to manage the routers, though L2TP with IPsec is easier to use for remote dial-in type VPNs.
If IPsec isn't working for you, try using the SmartVPN client and make sure the Windows Firewall is enabled, because ipsec requires the firewall to operate.
IPSec is a good option for making a remote VPN to manage the routers, though L2TP with IPsec is easier to use for remote dial-in type VPNs.
If IPsec isn't working for you, try using the SmartVPN client and make sure the Windows Firewall is enabled, because ipsec requires the firewall to operate.
Forum Administrator
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank yous received: 0
17 Nov 2016 13:24 #87326
by admin
Forum Administrator
Replied by admin on topic Re: PCI Complience
It might fail PCI anyway as v2710 is an old model and may not support TLS 1.2
Where did you buy them from ?
Where did you buy them from ?
Forum Administrator
Please Log in or Create an account to join the conversation.
Moderators: Chris
Copyright © 2025 DrayTek