Aside from upgrading the router (which I know I may need to do), does any one have a suggestion on how I can resolve this PCI DSS vulnerability?

THREAT: Your firewall policy seems to allow UDP packets with a specific source port (for example, port 53) to pass through while it blocks UDP packets to the same destination ports but with a random source port. In the Result section, the service lists up to 16 such destination ports that can be reached by the UDP probes with a source port of 53. Note that in a default scan, we have only used port 53 as the source port. It is possible that the firewall also allows UDP packets with other well-known ports as source ports to go through

IMPACT: This weakness may allow a malicious remote user to bypass the firewall policy and reach UDP ports that are supposed to be protected by the firewall.

SOLUTION: Make sure that all your filtering rules are correct and strict enough. If they are not, change the firewall rules to filter these requests with a particular source port.

I have tried adding the following rule:
Direction: WAN -> LAN
Source IP: Any  
Destination IP: Any 
Service Type: TCP/UDP,
Port: from 53 to any  
Fragments: Don't Care
Filter: Block Immediately 

But the PCI scan is still failing.

Is there anything else I can do on the Draytek, or is it just a case of replacing it with a supported model?

Thanks,

Joe

Hi Joe,

A little more information on your use case could be helpful here... are you attempting to allow access to a DNS server on your local network?
DNS queries from the WAN to a server on the LAN should go from 'any port to port 53' rather than the other way around.

You may be able to restrict Source IP and Destination IP considerably rather than leaving them wide open, but again we'd really need to know specifically what it is you are hoping to achieve.

I would be greatly surprised if your Draytek can't be configured the way you want... give us a bit more info and we'll help as best we can!

I think you've completely missed the entire point there....he's not trying to allow anything through and is actually trying to stop it completely.

The PCI DSS scan result is saying that despite all that he's done - traffic from source port 53 on the internet is allowed to come straight through the Draytek's firewall onto his LAN...at least that's how it reads to me. But I've dealt with several PCI DSS type reports before and they have a habit of reporting things that are so utterly pointless that this then lead me on to this:-

question to OP - where has the PCI DSS scan been run from - internal or external ?     If it's internal then canine has a point. I mean who cares if your Draytek isn't protecting the entire internet from your own port 53 traffic....

Hi Ian,

You are 100% correct. It is an external scan. So my reading of this issue, based on example of port 443, is:
- Port 443 is blocked by the firewall
- When the client uses a ephemeral port as its source port, as the Draytek would expect, the incoming connection is blocked as intended
- However if an attacker uses a well know port as its source port, such 53, then the connection is allowed.

This looks to me like a flaw in the Draytek's software, and since its end of life it won't be fixed. I was just wondering if anyone had come across this before and fixed it before going down that route.

Thanks!

Joe