Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: PCI Compliance for Time Capsule

Is it possible to configure a Time Capsule to allow external scans (from a range of white-listed IPs) to confirm the security of my local network?


As of January this year PCI Compliance rules changed requiring access to my local network. I've verified with my ISP there's no firewall operating.


I freely admit I'm not an IT guy, but I've managed to keep our small business connected and running. Any advice or suggestions on configuration via AirPort Utility or otherwise are much appreciated.


Many thanks,


s.

macOS Sierra (10.12.6)

Posted on

Reply
Question marked as Helpful

Apr 21, 2018 11:40 AM in response to stinkerton In response to stinkerton

Seems I'm being to forced to go down the Ubee gateway rabbit hole.

There are a few possibilities if you really want to run the Time Capsule as your main router in control of the network. I am not necessarily suggesting that you do this, I'm only mentioning some possible options here.


1) The simplest thing to do would be to replace the Ubee gateway with a simple modem, assuming that your Internet provider will allow this option.


2) It might be possible to configure the Ubee gateway to act as if it were a simple modem. Some gateways can be configured this way, and some cannot. If your provider furnished the Ubee gateway to you, you'll need to ask their support folks whether this is possible and whether they would authorize and help you with the setup.

Question marked as Helpful

Apr 21, 2018 11:40 AM in response to stinkerton In response to stinkerton

I may be wrong, but we may be going at this from the wrong angle. If you are a merchant and accept credit cards for payment, the PCI compliance that I'm aware of requires periodic scans of your network to certify that it "protects" your customers' credit card information.


If this is the type of scanning you are referring to, a PCI-certified agency will perform these scans from a remote location to "see" if any ports are open on your local network's "main" router. This would be your Ubee in this case.


Depending on what credit card "level" merchant you are will drive which level(s) of security that you must have in-place for PCI-compliance. Regardless, one area of safe-guarding the card data is to use prevent attacks from the remote locations to your local network. This is where a dedicated application-level firewall comes into play. Neither the TC or the Ubee are dedicated firewall devices and each have a limited version of firewall features with the TC, most likely, having the least.


I think what this will come down to, is if the agency determines that your Ubee is insufficient for intrusion protection, you may need to consider "upping your game" by investing in a dedicated firewall appliance. This device would typically be placed between your Internet modem and router.

There’s more to the conversation

Read all replies

Page content loaded

Apr 20, 2018 12:32 PM in response to stinkerton In response to stinkerton

In order to allow access to your local network from remote apps, you would need to open ports on your Time Capsule. This can be performed by using the AirPort Utility.


The following AirPort User tip provides the basics to do so: AirPort - Port Mapping Basics using AirPort Utility v6.x

Apr 20, 2018 12:32 PM

Reply Helpful

Apr 20, 2018 1:00 PM in response to Tesserax In response to Tesserax

Thanks Tesserax!


This is a great start. Again, I'm not sophisticated with my IT management, so can you clarify a bit from the support article: all I have been given from the PCI Compliance organization is a list of IPs and IP ranges. I understand TCP and UDP are transfer protocols, but I'm confused as to relating them to IP addresses?


Thanks for your help!

Apr 20, 2018 1:00 PM

Reply Helpful

Apr 20, 2018 1:29 PM in response to stinkerton In response to stinkerton

Port mapping may not be what you are looking for. I was under the impression that an outside agency will be running security scans on your local network. In order for them to do so, I am assuming that they would need to access your local network using some type of security application that they will run from a remote location. If this is correct, that application would require one or more ports to be open to gain access.


On the other hand, if you need to allow a range of public IP addresses access, this would not normally be done by port mapping alone and your Time Capsule would not have the capability to support this.

Apr 20, 2018 1:29 PM

Reply Helpful

Apr 20, 2018 2:06 PM in response to Tesserax In response to Tesserax

Tesserax,


As I understand it, what you're describing in Paragraph 1 above is exactly what TrustWave wants to do. Their tech support is lacking, as I'm now realizing the white-list of IPs they provided is their answer both for my host and local network. But what you're saying sounds 100% right: they need access to local ports, but they've given me no info on what ports they will attempt to scan.


I have a call out to their tech support to follow up on what ports they need access.


Thanks again for your time and insight!

Apr 20, 2018 2:06 PM

Reply Helpful

Apr 20, 2018 3:24 PM in response to stinkerton In response to stinkerton

Please note that Port Mapping or Port Forwarding is not possible on your Time Capsule unless you have the type of modem that will allow this to occur.


In other words, to set up ports on the Time Capsule, it must be connected to a simple modem. This type of device will have only one Ethernet port, and will look something like the illustration that you see below:

User uploaded file

If the Time Capsule is connected to a modem/router or gateway type of device, then the ports will need to be configured on the modem/router or gateway......not on the Time Capsule. A modem/router or gateway will look something like this:

User uploaded file


If you are not sure what type of "modem" that you have, post back with the make and model number of the device, and we'll do some checking.

Apr 20, 2018 3:24 PM

Reply Helpful

Apr 20, 2018 4:07 PM in response to Bob Timmons In response to Bob Timmons

Hi Bob!


Thanks for chiming in. We're using an Ubee DDW 365 which is definitely the latter of the two examples above.


It's not locked to user level changes and I was able to access the setup via http://192.168.0.1/ on my local network. I'm not really sure, nor confident on which settings I would make the changes to allow for incoming port scans from our PCI Compliance provider?


Can you point me in the right direction?


Thanks!

Apr 20, 2018 4:07 PM

Reply Helpful

Apr 20, 2018 6:46 PM in response to stinkerton In response to stinkerton

Ubee DDW 365 is a wireless gateway as you have confirmed.


DDW365 Wireless Cable Modem Gateway | Ubee Interactive


So, it is the Ubee that is acting as the router in control of assigning IP addresses to devices your network (including the Time Capsule), and as such it is the Ubee device that must be set up for port forwarding, also known as port mapping.


Your Time Capsule will not be actively involved in this process at all, since it will automatically pass through the port settings from the gateway to any of your devices that might be connected to the Time Capsule either by wireless or by wired Ethernet cable connection.


I suppose that it is possible that someone on a support forum for Apple routers might be familiar with port forwarding on a Ubee product and be able to lend a hand here, but realistically it is unlikely that they will see your post here.


My recommendation would be to contact either your Internet Service Provider (ISP) if they provided the Ubee gateway to you, or Ubee Support. If your Ubee gateway has a feature enabled called UPnP, the Ubee should automatically forward the ports that are needed. UPnP stands for Universal Plug and Play.


Good luck!

Apr 20, 2018 6:46 PM

Reply Helpful
Question marked as Helpful

Apr 21, 2018 11:40 AM in response to stinkerton In response to stinkerton

Seems I'm being to forced to go down the Ubee gateway rabbit hole.

There are a few possibilities if you really want to run the Time Capsule as your main router in control of the network. I am not necessarily suggesting that you do this, I'm only mentioning some possible options here.


1) The simplest thing to do would be to replace the Ubee gateway with a simple modem, assuming that your Internet provider will allow this option.


2) It might be possible to configure the Ubee gateway to act as if it were a simple modem. Some gateways can be configured this way, and some cannot. If your provider furnished the Ubee gateway to you, you'll need to ask their support folks whether this is possible and whether they would authorize and help you with the setup.

Apr 21, 2018 11:40 AM

Reply Helpful (1)
Question marked as Helpful

Apr 21, 2018 11:40 AM in response to stinkerton In response to stinkerton

I may be wrong, but we may be going at this from the wrong angle. If you are a merchant and accept credit cards for payment, the PCI compliance that I'm aware of requires periodic scans of your network to certify that it "protects" your customers' credit card information.


If this is the type of scanning you are referring to, a PCI-certified agency will perform these scans from a remote location to "see" if any ports are open on your local network's "main" router. This would be your Ubee in this case.


Depending on what credit card "level" merchant you are will drive which level(s) of security that you must have in-place for PCI-compliance. Regardless, one area of safe-guarding the card data is to use prevent attacks from the remote locations to your local network. This is where a dedicated application-level firewall comes into play. Neither the TC or the Ubee are dedicated firewall devices and each have a limited version of firewall features with the TC, most likely, having the least.


I think what this will come down to, is if the agency determines that your Ubee is insufficient for intrusion protection, you may need to consider "upping your game" by investing in a dedicated firewall appliance. This device would typically be placed between your Internet modem and router.

Apr 21, 2018 11:40 AM

Reply Helpful (1)

Apr 21, 2018 11:40 AM in response to Tesserax In response to Tesserax

If you are a merchant and accept credit cards for payment, the PCI compliance that I'm aware of requires periodic scans of your network to certify that it "protects" your customers' credit card information.

You're 100% correct. This is the exact scenario. What's ridiculous is the error I'm receiving from the PCI Scan is "host not detected." What's more secure than an invisible network?


Moreover, 99.9% of our CC transactions are handled by our gateway provider. We rarely actually "see" our customers' CC info. Maybe 6 times per year we run a transaction manually using virtual terminal if a customer insists on placing an order via telephone.


Again, thanks for your advice/suggestion of a dedicated firewall appliance. If I can't get the Ubee modem/router to behave, I'll investigate that route.

Apr 21, 2018 11:40 AM

Reply Helpful

Apr 21, 2018 12:00 PM in response to stinkerton In response to stinkerton

What's more secure than an invisible network?

Not sure if you were aware that an "invisible" network is hardly secure, since there are any number of free utilities available over the Internet that will detect a "hidden" network in seconds, so anyone who really wants to see your network will be able to do so very quickly and very easily.


In addition, Apple specifically advises against using a "hidden" network in their best WiFi practices documentation, not only because of the ease in viewing a hidden network if desired, but also because it does make it difficult for some devices to even connect to the network.


More info here: Recommended settings for Wi-Fi routers and access points - Apple ...


It's your call, but I might briefly relate a quick story here. Recently, my neighbor mentioned to me that he had set up a "hidden" network to avoid having to enter a password for the network at all. His reasoning was that since he knew the name of the network and had stored it on his devices, that this was all that needed to protect and simplify his network.


After about 5 minutes, I called my neighbor and asked him to come over and see his network and devices on my computer. I'm a really lousy hacker, but he was shocked that I was able to get onto his network in about 60 seconds.


So, if you decide to "hide" your network, it would still be good idea to use a good strong WiFi password for the network. A strong password would be a mix of random letters and numbers. The longer the password, the more secure the network.....but....the longer it will take devices to connect.

Apr 21, 2018 12:00 PM

Reply Helpful

Apr 21, 2018 11:56 AM in response to Bob Timmons In response to Bob Timmons

Bob,


I mis-spoke (typed). Our network is not formally hidden–I just meant it's not forward facing other than locally. Again, I'm hardly an IT guy!


I reviewed your link above and we're following all recommended settings including WPA2 Personal (AES).


In researching my issue PCI Compliance issue, I came across other users having similar frustrations with new PCI Compliance polices:


Re: How to whitelist IPs from Trustwave - Ubiquiti Networks Community


If I can't get my Ubee router to allow access for the PCI scan, I'll go the dispute route as outlined in the above link.


Thanks again.

Apr 21, 2018 11:56 AM

Reply Helpful

Apr 21, 2018 12:11 PM in response to stinkerton In response to stinkerton

Thanks for the additional information. I'm not sure how any of this would involve an Apple router.


But, if you decide that you want to try a simple modem and then set up the AirPort as the main router for the network to handle port mapping, we can probably help with that aspect.


Frankly, the AirPorts are very simple products that have been designed for mom and pop to use at home. I would not recommend them for business use at all, but there are probably some users who will disagree.

Apr 21, 2018 12:11 PM

Reply Helpful

Apr 21, 2018 1:38 PM in response to stinkerton In response to stinkerton

Thanks for the link.


From this article, I was able to glean the following:

  1. You set up which devices on you local network that you want scanned by Trustwave. These devices would have public IP addresses. This is supposedly done via the Trustwave Portal.
  2. A router must support the ability to whitelist external IP addresses. It also must support IPS or IDS security services. This is NOT the same as a firewall service.
  3. Whitelisting would be performed in the router's IPS or IDS service.
  4. What only needs to be allowed is the ICMP protocol inbound ONLY from the whitelisted range of Trustwave external IP addresses.
  5. If these devices cannot be accessed, for whatever reason, you can file a scan dispute with Trustwave.


So, one of the first things to verify is, whether or not, your Ubee router supports either the IPS or IDS security service. The other is if it allows you to enter a range of external IP addresses for the IPS/IDS rule. If it does neither, you will have to look for a router that can do both or else go to step 5 to file a dispute.


Good luck.

Apr 21, 2018 1:38 PM

Reply Helpful
User profile for user: stinkerton

Question: PCI Compliance for Time Capsule