A growing cause of frustration for us is PCI compliance scans. It seems each PCI compliance company is a little different, and our efforts to create enough exceptions on the firewalls, while still maintaining proper security, works for some compliance companies, but not all. If we just block the scan, some companies place a note in the customer account indicating the scan was properly blocked by a firewall, while other compliance companies require us to allow the scan. I feel like I’m reducing the security of the firewall in order to permit the scan, only to then be told the firewall isn’t secure enough.
For the compliance companies that require the firewall to allow the scan, often times, the Fireboxes are flagged with SSL issues due to using self-signed certificates for VPN, even when we have SSLVPN disabled. When we do have SSLVPN enabled, we generally only use self-signed certificates because it is just VPN, not a webserver for public use.
Anybody have any thoughts/strategies on the matter?