Hi all

I am currently working on getting our systems PCI complaint (credit card security), we currently pass the external scans, but it has highlighted the following issue at level 5. Can any one interpret this and give me an indication as to what I need to do on the router to fix, it talks about filtering incoming TCP connections, however, I block everything apart from connections from specific IP addresses.

I have a Draytek 2860n

See below

Thanks

Matt


Title: TCP reset using approximate sequence number

Impact: A remote attacker could cause a denial of service on systems which rely upon persistent TCP connections.

Resolution: To correct this problem on Cisco devices, apply one of the fixes referenced in the Cisco security advisories for [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp-ios.shtml] IOS and [http://www.cisco.com/warp/public/707/cisco-sa-20040420-tcp- nonios.shtml] non-IOS operating systems. Refer to [http://www.kb.cert.org/vuls/id/415294#systems] US-CERT Vulnerability Note VU#415294 and [http://www.uniras.gov.uk/niscc/docs/re-20040420-00391.pdf?lang=en] NISSC vulnerability advisory 236929 for other vendor fixes.

If a fix is not available, this problem can be worked around by using a secure protocol such as [http://rfc.net/rfc2411.html] IPsec, or by filtering incoming connections to services such as BGP which rely on persistent TCP connections at the firewall, such that only allowed addresses may reach them.

Risk Factor: Medium/ CVSS2 Base Score: 5.0

Hi,

I assume you are using Security Metrics (www.securitymetrics.com) ?

We noticed this last night aswell on our reports. however looking back at previous reports, the issue is not there. Only thing we have done is upgrade the firmware to latest release.

As you, we also set the firewall default policy to block all and only allow in for ports we need.

Thanks Dave32

Yes SecurityMatrix

We do not fail due to this but it is 5 on their risk scale and I am told 6 is a fail so I would like to get the risk lowered.

Did upgrading the firmware fix yours? Ours is new and on the latest firmware.

I assume there must be a firewall rule I can setup but not sure what it is actually telling me.

Matt

no. running the latest firmware may have caused this alert on the report.

ah I see, do we know how we can sort it? Ironically the obvious solution is to downgrade to an older firware but that also breaks PCI 'all updates and patches are installed within xxx... etc'

Anyone from Draytek here that can give any clarity on what needs to be done? Is it a firmware issue or something we need to configure a firewall rule for?

Thanks

Matt