how does this work? Modems/IPs/PCI Scans
-
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
When you say "modem" what do you mean exactly? What is it connected to?
This question confuses me.
A modem is a modem, right? connects to the Cable and becomes internet through FMA modem is a modulator/demodulator. But there are many types of modems and some modems are not modems at all. People who don't know better just call them that. That's why I asked.
in this case, a Cable Modem would be a modem or no?
It's taking in the cable signal then changing it an internet connection or no?
Yes. Cable mode is a modem.
But there could be two types of very similar devices,
- cable modem that will work as a network bridge. Meaning it is transparent on the network.
- cable modem with built in router, works as a router. Will do things on the network.
Some devices are multi-purpose and can be run in bridge mode or in router mode.
I would have to look into the modem to see if it has built in router.
most cable modems, at least these days, have built in routers though, so i'm going to go with yes, it has a built in router.In router mode
If it's in router mode you will likely have:
IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC
Also called double NAT. The original IP address get translated into another IP address two times.In bridge mode
IP given to you by ISP -> cable modem -> IP given to you by ISP -> FW -> IP handed out from FW -> PC
The original IP address get translated into another IP address one time (in the FW).I say "IP given to you by ISP" instead of public IP because in some cases it might not be a public IP at all. It depends on the ISP. It's probably most likely to encounter this on cellular networks or where it is unlikely that you host servers and have incoming traffic.
-
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
When you say "modem" what do you mean exactly? What is it connected to?
This question confuses me.
A modem is a modem, right? connects to the Cable and becomes internet through FMA modem is a modulator/demodulator. But there are many types of modems and some modems are not modems at all. People who don't know better just call them that. That's why I asked.
in this case, a Cable Modem would be a modem or no?
It's taking in the cable signal then changing it an internet connection or no?
Yes. Cable mode is a modem.
But there could be two types of very similar devices,
- cable modem that will work as a network bridge. Meaning it is transparent on the network.
- cable modem with built in router, works as a router. Will do things on the network.
Some devices are multi-purpose and can be run in bridge mode or in router mode.
I would have to look into the modem to see if it has built in router.
most cable modems, at least these days, have built in routers though, so i'm going to go with yes, it has a built in router.In router mode
If it's in router mode you will likely have:
IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC
Also called double NAT.In bridge mode
IP given to you by ISP -> cable modem -> IP given to you by ISP -> FW -> IP handed out from FW -> PC
I say "IP given to you by ISP" instead of public IP because in some cases it might not be a public IP at all. It depends on the ISP.
so, what i'm taking from all of this is ; if a PCI scan was done on the site, with 2 pcs, one behind a fw
(IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC)
and one not
(IP given to you by ISP -> cable router -> IP handed out from cable router ->PC)then chances are it's scanning the right PC and the fail is on the FW - right?
-
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
When you say "modem" what do you mean exactly? What is it connected to?
This question confuses me.
A modem is a modem, right? connects to the Cable and becomes internet through FMA modem is a modulator/demodulator. But there are many types of modems and some modems are not modems at all. People who don't know better just call them that. That's why I asked.
in this case, a Cable Modem would be a modem or no?
It's taking in the cable signal then changing it an internet connection or no?
Yes. Cable mode is a modem.
But there could be two types of very similar devices,
- cable modem that will work as a network bridge. Meaning it is transparent on the network.
- cable modem with built in router, works as a router. Will do things on the network.
Some devices are multi-purpose and can be run in bridge mode or in router mode.
I would have to look into the modem to see if it has built in router.
most cable modems, at least these days, have built in routers though, so i'm going to go with yes, it has a built in router.In router mode
If it's in router mode you will likely have:
IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC
Also called double NAT.In bridge mode
IP given to you by ISP -> cable modem -> IP given to you by ISP -> FW -> IP handed out from FW -> PC
I say "IP given to you by ISP" instead of public IP because in some cases it might not be a public IP at all. It depends on the ISP.
so, what i'm taking from all of this is ; if a PCI scan was done on the site, with 2 pcs, one behind a fw
(IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC)
and one not
(IP given to you by ISP -> cable router -> IP handed out from cable router ->PC)then chances are it's scanning the right PC and the fail is on the FW - right?
It can only scan the device that answers the IP it is scanning.
So it will scan the cable router if it's in routing mode.
It will scan the firewall if the cable modem is in bridge mode.If you have set up port forwarding in either one however, those scans will also be forwarded.
-
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
When you say "modem" what do you mean exactly? What is it connected to?
This question confuses me.
A modem is a modem, right? connects to the Cable and becomes internet through FMA modem is a modulator/demodulator. But there are many types of modems and some modems are not modems at all. People who don't know better just call them that. That's why I asked.
in this case, a Cable Modem would be a modem or no?
It's taking in the cable signal then changing it an internet connection or no?
Yes. Cable mode is a modem.
But there could be two types of very similar devices,
- cable modem that will work as a network bridge. Meaning it is transparent on the network.
- cable modem with built in router, works as a router. Will do things on the network.
Some devices are multi-purpose and can be run in bridge mode or in router mode.
I would have to look into the modem to see if it has built in router.
most cable modems, at least these days, have built in routers though, so i'm going to go with yes, it has a built in router.In router mode
If it's in router mode you will likely have:
IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC
Also called double NAT.In bridge mode
IP given to you by ISP -> cable modem -> IP given to you by ISP -> FW -> IP handed out from FW -> PC
I say "IP given to you by ISP" instead of public IP because in some cases it might not be a public IP at all. It depends on the ISP.
so, what i'm taking from all of this is ; if a PCI scan was done on the site, with 2 pcs, one behind a fw
(IP given to you by ISP -> cable router -> IP handed out from cable router -> FW -> IP handed out from FW -> PC)
and one not
(IP given to you by ISP -> cable router -> IP handed out from cable router ->PC)then chances are it's scanning the right PC and the fail is on the FW - right?
It can only scan the device that answers the IP it is scanning.
So it will scan the cable router if it's in routing mode.
It will scan the firewall if the cable modem is in bridge mode.If you have set up port forwarding in either one however, those scans will also be forwarded.
That makes a lot more sense
-
It sounds like your network looks like this
-
If you're failing PCI audits, it's likely because you have UPNP enabled on one or more firewalls, and the computers behind those firewalls are poking holes through your firewall - either that, or whomever setup the firewalls did port forwarding - OR the firewalls were hacked, and a hacker opened the ports.
-
@Dashrender Great drawing! Makes it easier to visualize.
Good reminder on UPnP, btw! Had forgot about that one.
UPnP is for home use and has no place in a business setting. That's the drawback with home equipment. There is a lot of stuff you need to disable and a lot of stuff you can't do at all.
-
@WrCombs The only thing the PCI firewall is doing is preventing the PC on 192 network from attacking it directly. Because it's on the 192 network, it could still act as a MiTM if it was able to shim its way in there. So the PCI network is not as protected as it could be.
Instead the firewall/cable modem should be setup with two internal networks (if possible - which is not likely) then the 192 computer couldn't get in the middle to be a MiTM.
-
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
Instead the firewall/cable modem should be setup with two internal networks (if possible - which is not likely) then the 192 computer couldn't get in the middle to be a MiTM.
Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.
-
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
It sounds like your network looks like this
This sounds like exactly what he has.
@WrCombs said in how does this work? Modems/IPs/PCI Scans:
then chances are it's scanning the right PC and the fail is on the FW - right?
It is 100% impossible for a server on the public internet to scan through a NAT device without something else at play. WTF ever PCI scanner you are using on the internet is not seeing anything on the first internal network. Let alone anything on the double nat'd network.
-
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
@WrCombs The only thing the PCI firewall is doing is preventing the PC on 192 network from attacking it directly.
Correct
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
Because it's on the 192 network, it could still act as a MiTM if it was able to shim its way in there.
Nothing on the 192 network can simply MiTM. You can easily pcap the data though.
You could then use the knowledge gained from that to spoof DNS or IP and then begin to get data with some sort of MiTM.
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
So the PCI network is not as protected as it could be.
It is not secure at all. this is a 100% fail.
-
@Pete-S said in how does this work? Modems/IPs/PCI Scans:
Or perhaps even better, the cable modem set to bridge mode and the 192.168.... connected as a second lan on the PCI firewall.
This is the only secure method.
You have to remove any network between the internet and the PCI firewall.
Note, you don't need VLAN. You can just use two ports like in my next post.
-
Actual setup that I have at the site I am sitting at now.
Only device on PCI LAN
Firewall rules drop 100% traffic from LAN to PCI LAN and PCI LAN to LAN.
-
Here is the config for that.
jbusch@fsl-stl# show interfaces ethernet eth0 { address 12.XXX.XXX.XXX/30 description "AT&T FIber" duplex full firewall { in { name WAN_IN } local { name WAN_LOCAL } } speed 100 } ethernet eth1 { duplex auto speed auto } ethernet eth2 { address 10.202.8.1/29 description "PCI LAN" duplex auto firewall { in { name PCI_IN } local { name PCI_LOCAL } } speed auto } ethernet eth3 { address 10.202.0.1/23 description "FSL LAN" duplex auto firewall { in { name LAN_IN } local { name LAN_LOCAL } } speed auto vif 10 { address 10.202.10.1/24 description "Guest Wireless" firewall { in { name Public_WiFi_IN } local { name Public_WiFi_LOCAL } } } vif 20 { address 10.202.11.1/24 description "Security Cameras" mtu 1500 } } loopback lo { }name PCI_IN { default-action accept description "Network for PCI Devices" rule 10 { action drop description "Block SMTP" destination { group { port-group SMTP_Ports } } log disable protocol tcp state { established enable invalid enable new enable related enable } } rule 20 { action drop description "Allow access to gateway" destination { group { address-group ADDRv4_eth2 } } log disable protocol tcp state { established enable invalid enable new enable related enable } } rule 30 { action drop description "Block Access to LAN" destination { group { address-group 10_0_0_0_8 } } log disable protocol all } } name PCI_LOCAL { default-action drop description "Devices on PCI Network" }name LAN_IN { default-action accept description "LAN in to other interfaces" rule 10 { action accept description "Devices Allowed SMTP" destination { group { port-group SMTP_Ports } } log disable protocol tcp source { group { address-group Email_Servers } } state { established enable invalid disable new enable related enable } } rule 40 { action drop description "Drop all other SMTP" destination { group { port-group SMTP_Ports } } log enable protocol tcp state { established enable invalid enable new enable related enable } } rule 50 { action drop description "Drop all to PCI LAN" destination { group { address-group NETv4_eth2 } } log disable protocol all state { established enable invalid enable new enable related enable } } } -
Few if any consumer level firewalls will provide the split like Jared is showing.
But a super cheap ER-X from Ubiquiti can do this very easily, as Jared's examples show.
-
I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.
-
@scotth said in how does this work? Modems/IPs/PCI Scans:
I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.
This assumes you can get two ip from the isp.
-
@Dashrender said in how does this work? Modems/IPs/PCI Scans:
@scotth said in how does this work? Modems/IPs/PCI Scans:
I think that there's one more way. One firewall per network, both through the cable modem/router. Each is responsible for their own security. Any backoffice access is governed by the payment processor and security for the payment/processing side is provided by the payment processor.
This assumes you can get two ip from the isp.
You could also put one firewall behind the other. This happens a lot. The idea is to get the transaction(s) secure and to make absolutely sure that the PCI compliance is on the shoulders of the payment processor as much as possible. Audits are their responsibility. Remediation is their responsibility. Secure transactions are their responsibility.
EDIT: This does not exclude you (meaning anyone) from properly securing your own environment. Put the onus where it belongs.
-
@JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.
-
@brandon220 said in how does this work? Modems/IPs/PCI Scans:
@JaredBusch example also is great for home use if you have IoT devices. I have an ERL behind a cable modem and this keeps everything I want separated from my normal LAN.
That is a good way to practice this for business use
