Service Object / PCI Compliance issue
Mike11224466
Newbie ✭
I have a TZ400 and updated to latest firmware.
I have a camera in office. I have added a service object / cam services on port 81.
When I run PC! scan, it fails and says ...
CGI: HTTP Security Header Not Detected : 81 / tcp
CGI: Session Cookie Does Not Contain the "Secure" Attribute: 81 / tcp
There is no issues on scan and port 81, on web server, web application, information gathering,
Please help of what I can do so PCI scan does not fail
Category: Firewall Management and Analytics
0
Answers
Hi @MIKE11224466,
Thank you for visiting SonicWall Community.
Seems like the PCI scan is failing for your camera on port TCP 81 since the port is opened on the firewall. The firewall will pass the traffic on TCP 81 to the camera. This scan failure needs to be fixed at the camera side. There should be some setting on the camera that you can check with the camera support and have this fixed.
Hope this helps. Please let me know if any questions or clarifications.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
I feel under service object or another place should be able to inject http??
Hi @MIKE11224466,
Service object in the SonicWall will act as an interface to enforce the port numbers to the policies such as NAT, Access rule, etc,., In SonicWall, we have allowed port TCP 81 to the camera. So traffics destined to the camera is allowed by the SonicWall after validation. The request/response on TCP 81 is dealt by the camera therefore.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @MIKE11224466,
Yes, set the access rule to block the port TCP 81 for time being when the scan is performed and after procuring the results, please set the rule back to allow for camera access.
Hope this helps.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Can you tell me steps exactly how to do this please?
I appreciate your help
@MIKE11224466 - Could you please share the "Zone" (LAN or any custom zone) of your camera located behind the firewall? Also, please share the address object name of your camera IP address on the SonicWall. I can give you the precise steps.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Address Object name: CAMERA
Zone: LAN
Type: Host
I was wondering if you could answer my question?
Hi @MIKE11224466,
Please try to check for the access rule in WAN to LAN view. The rule must include the service object for port TCP 81. Please have this rule disabled for time being till you perform the scan. Once the scan is done. Please enable the rule back.
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
Hi @Saravanan @Mike11224466
CGI: HTTP Security Header Not Detected : 81 / tcp --> This message doesn't mean port 81 scan fail. Its mean that port in the camera not have comply the HSTS ( HTTP Strict Transport Security)
CGI: Session Cookie Does Not Contain the "Secure" Attribute: 81 / tcp --> If your web application uses cookies, then the data stored in cookies can be intercepted and recovered by unauthorized users if the data is transmitted over HTTP connection, thus causing the information disclosure. To prevent this, a “secure” flag can be set on the cookie and the flag will tell the browser to only transmit cookies over HTTPS connection, not over HTTP connection
Usually for PCI the network will be classified as Card Data Environment (CDE) and non-CDE. Those systems which are handling card holder data is included in the CDE and only CDE is required to be compliant. Other systems which are not part of the CDE need to be segmented and will be kept in a separate network. So system like CCTV usually wont be part of the CDE and it does not need to be in PCI scope. If it is part of PCI network or CDE environment then we have to secure it. So first you have to classified your camera system in CDE environment or not.
Hi @Mike11224466,
PCI DSS standard comes to CCTV, when its required the Physical Security, To comply with the standard, you must use security cameras AND/OR access control in any sensitive areas. Sensitive areas are defined as below:
“Note: ‘Sensitive areas’ refers to any data center, server room or any area that houses systems that store, process, or transmit cardholder data. This excludes public-facing areas where only point-of-sale terminals are present, such as the cashier areas in a retail store.”
To summarize, if you don’t have access control, then YES, you need cameras in these sensitive areas to protect cardholder data.
As per the PCI standard CCTV camera Implementation, please follow the below steps;
1) Network must be protected with Firewall and its should not be the same network of the PCI card holder network.
2) Security cameras for sensitive areas, then you need to retain the footage for 3 months and it should capture all entrances and exits so you can identify who has entered and exited at any given time.
3) There is no explicit requirement for an offsite backup, but requirement PCI 9.5.1 encourages entities to store all media at an off-site facility.
4) HTTPS/SSL data encryption (Camera / NVR, web page access must be through HTTPS port)
5) Motion detection and search
6) Tamper detection and alerts
7) Detailed user audit logs with 1 Year backup
8) RSA + AES data encryption
9) Do not use Vendor default password
10) Prevent unauthorized changes to audit logs
11) Review logs and security events to identify unusual activity
NB: This community is only for Sonicwall product and support, Since your question related with Sonicwall & security for your CCTV system I am explain the PCI DSS standard and the implementation.