- #ZENMAP PORTABLE HOW TO#
- #ZENMAP PORTABLE PORTABLE#
If you found issues, make sure you document in detail what was done to resolve those issues and conduct new scans to prove that those issues were remediated.
Save all of your results and comparisons so that you have a record of your testing. If it does return results, you will have to figure out way and block that traffic into the CDE. This should return no results back if the network is truly out of scope. Connect to every Out of Scope network segment and run an Nmap scan into each CDE network segment for every TCP and UDP port for all IP addresses in the CDE. Since communication is allowed between these network segments you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved. While in the Connected To network segments, conduct testing to all Out of Scope network segments. Again, since communication is allowed between these network segments you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved. Connect to every Connected To network segment and conduct testing into the CDE for all TCP and UDP ports against all IP addresses in the CDE network segment. If you get any unexpected results back, you are going to have to resolve those issues as there should be no external connectivity. Again, you are going to test all TCP and UDP ports against those addresses. However, what I tell my clients to do is to use every external IP address they have for business partners or other third parties they are connected to. Obviously, you are not going to test every internet address as that would take forever. Finally, you will need to test that your CDE can only reach the internet through ports and IP addresses you have specified. Since communication between the CDE and Connected To segments is allowed, you will need to compare the results of the Nmap scan to your documented, approved ports and firewall rules to confirm that no ports are open that are not documented and approved. While in each CDE, test connections out to your Connected To network segments testing all TCP and UDP ports against all IP addresses in your Connected To network segments. If you do find a port open in one of your out of scope networks, you will have to track down where that leak occurs. This likely sounds extreme but to prove segmentation you must test all 65,535 TCP/UDP ports against all IP addresses to make sure that no traffic “leaks” to your out of scope networks. You will want to run an Nmap scan that scans all TCP and UDP ports (i.e., 1 through 65535) against all IP addresses in a given out of scope network segment. Connect your scanner to every CDE network segment and attempt to reach all of the Out of Scope network segments from the CDE. The important thing is to have access to every network segment in your environment so that you can conduct this testing. It is also not unusual to use diagnostic systems in the data center to accomplish this effort (they may already have Nmap installed) as well as creating VMs for this testing and then remoting into those systems. #ZENMAP PORTABLE PORTABLE#
The reason this needs to be portable is because you will likely have to move around your facilities in order to complete all of the testing. Make sure you have Nmap installed on a portable computer.Label each network segment as Cardholder Data Environment (CDE), Connected To or Out of Scope based on the definitions from the Scoping Information Supplement. Gather an inventory of all of the network segments.
Here is the network segmentation testing methodology for traditional IP networks.
#ZENMAP PORTABLE HOW TO#
Never mind the fact that there is the even more basic issue of how to approach network segmentation testing. Because of that, I think people therefore believe there is something “special” about how segmentation testing must be performed. The only thing I can point to is the fact that network segmentation testing falls within the requirements of penetration testing. How something so simple became something so complicated (or at least believed to be complicated), I just will never understand. NOTE: If you have not read the PCI SSC Information Supplement – Guidance for PCI DSS Scoping and Network Segmentation you must do so before using the procedures documented in this post.
0 kommentar(er)
