Open Ports Found In PCI Compliance Testing


By Jeff
Follow

Open ports may appear in the report due to several reasons, mainly due to other clients needs.

These ports can be used only for HTTP/HTTPS traffic. All of the traffic that passing through them is well monitored by Incapsula. All non-HTTP/S traffic is disregarded.

When you run a PCI compliance test on your domain which is referring to Incapsula proxies, the open port list might point out ports that are open on our proxy machines. These ports are not open to your origin server(s) unless requested, making them completely irreverent to your website. 

The scanner uses the public DNS configuration of your website, hence returning our records (which represents our proxies) and runs the test on them.

Have you considered bringing this information to your PCI Scanning vendor's attention? We have thousands of customers that are running the same PCI scan (and fail for the same reason, Open Ports). Providing them with our signed PCI compliance certificate and explaining to them that as a CDN we have many ports open for a range of customers should be acceptable. That is how a Cloud WAF & CDN works.

Incapsula is unable to close these ports or provide you with an alternative way of scanning your website. As long as our CNAME and A Record are scanned, these are our Data Centers, and the problematic open ports in question serve thousands of customers.

We will be more than happy to explain this to your PCI scanning vendor ourselves if you wish.

Was this article helpful?
1 out of 3 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Resultwithlucy

    the pdf is not there?

  • Avatar
    Jeff

    The PDF is a clickable link at the end of the article. I have confirmed it is accessible.

  • Avatar
    Web Admin

    I can't access the PDF now.

  • Avatar
    Yorick

    Link to .pdf is broken ...

  • Avatar
    Ronen - Support
  • Avatar
    Yorick

    Hi Ronen,
    I'm sorry but each time I click the link I end up on incapsula/zendesk home page. Same happen if I copy/past the link in my browser. (Happen in both Chrome and Firefox).

  • Avatar
    Francesco

    Hi Ronen,
    I'm not able to download the pdf: exactly the same issue as Yorick.

  • Avatar
    Ronen - Support

    Hi Francesco,

    We were to fix this issue.
    Please try again.

    Ronen

  • Avatar
    Koji

    The certificate was expired by 15th January 2017.
    I would like you to update the pdf file for 2017.

  • Avatar
    Yaniv

    Our 2017 certificate has been attached to the document.

  • Avatar
    Daniel

    Thanks for publishing an explanation. I'm sending this to our ASV to see if they can narrow the scope of their scans to only a few ports (53, 80, 443, and maybe some other common ports under 1024) instead of the 100's of open ports they're currently scanning. That should bring our total scan time down from days to hours.

Powered by Zendesk