I have recently been trying to get my company ip addresses scanned with Comodo HackerGuardian. My website needed some adjustments to ssl but after they were made it passed the scan. As we also have a machine accessing a Virtual Terminal at our office premises I then scanned our LAN ip, but as we have no open ports on our outer firewall the HackerGuardian scan did not compete. I then adjusted the firewall to reject rather than drop the HackerGuardian scanner but the scan still failed to complete.
I contacted HackerGuardian about this received the following response:
Question: We have a Virtual Terminal inside our LAN and as I understand things we need to scan our LAN outer/perimeter firewall.
Response: This is incorrect. Only Internet facing (externally accessible) hosts are in scope for PCI scanning by an ASV.
Question: How can I scan this firewall's WAN ip address with HackerGuardian to make sure that the Virtual Terminal provider is happy?
Response: This is not possible. Your virtual terminal software should be a pre-validated payment application.
Our office network has a WAN IP address that is public routable with both forward and reverse DNS resolution and the IP address is also externally accessible enough to be reached by HackerGuardian’s scanner.
Regardless of the fact that I do not have any ports open on our office network perimeter firewall I thought one of the reasons for scanning is confirm that this in in fact the case and there has not been a misconfiguration.
What do people think is the correct or appropriate interpretation of the PCI rules?
