topic Re: c2911 Firewalling and IDS/IPS for PCI DSS compliance in Network Security

c2911 Firewalling and IDS/IPS for PCI DSS compliance

Enrique Roques Gomez — Fri, 21 Feb 2020 14:16:06 GMT

Hi,

One customer wants to be audited for PCI DSS compliance. They have c2911 routers as WAN routers.

When they do port scanning, obviously there are some ports open as routers are doing natting. As far as I know, port scanning cannot be prevented with ACLs. We need some firewalling or/and IDS/IPS functionalities on the router to avoid it.

Can anyone give me hand with this topic? Do I need to upgrade to a higher IOS version? any security licence?

these are the version details of the routers

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)

Technology Package License Information for Module:'c2900'

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
ipbase ipbasek9 Permanent ipbasek9
security None None None
uc None None None
data None None None

thanks in advance

Re: c2911 Firewalling and IDS/IPS for PCI DSS compliance

Philip D'Ath — Tue, 05 Sep 2017 09:52:42 GMT

You would need to buy a security licence for the routers and then you could implement zone based firewall.

Re: c2911 Firewalling and IDS/IPS for PCI DSS compliance

Enrique Roques Gomez — Tue, 05 Sep 2017 12:17:23 GMT

Hello Philip,

Thanks for your quick response. Could we get a similar result regarding port scanning with reflexive ACL?

I know it is not as powerful as CBAC but we might prevent port scanning tools from seeing open ports.

thanks

Re: c2911 Firewalling and IDS/IPS for PCI DSS compliance

Philip D'Ath — Tue, 05 Sep 2017 18:39:08 GMT

You can't get the same result using reflective ACLs because they leave the ports permanelty open.

CBAC and zone based firewall only leave the ports open while they need to be and then close them again.