lalajane
01-22-2009, 07:15 AM
We recently became an ASV and I have two questions about requirements in the Technical and Operational Requirements for Approved ASVs.
1. The document states "If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be included." If a customer only provides individual IP addresses for an ASV scan (vs. a range of IP addresses or a domain), do we need to do any additional analysis to determine if there might be other IPs we should scan? For example, if the customer only gives us 1 IP per location being scanned, would we be expected to check for other IPs in each location's subnet to see if there are other Internet-facing IPs that should have been provided?
2. The document states "Prior to scanning, the ASV must ensure that there is an unfiltered communication path to the customer's environment from the originating IP address of the ASV." Other than confirming that our ISP does not block any ports or services, what actions are required to obtain the same information regarding the customer's ISP? Is it sufficient to ask the customer if their ISP blocks any ports services, or are we expected to perform additional testing, or contact the ISP ourselves to confirm there will be no interference with the scan?
Thanks
Jane Laroussi, CISSP, QSA
1. The document states "If active IP addresses are found that were not originally provided by the customer, the ASV must consult with the customer to determine if these IP addresses should be included." If a customer only provides individual IP addresses for an ASV scan (vs. a range of IP addresses or a domain), do we need to do any additional analysis to determine if there might be other IPs we should scan? For example, if the customer only gives us 1 IP per location being scanned, would we be expected to check for other IPs in each location's subnet to see if there are other Internet-facing IPs that should have been provided?
2. The document states "Prior to scanning, the ASV must ensure that there is an unfiltered communication path to the customer's environment from the originating IP address of the ASV." Other than confirming that our ISP does not block any ports or services, what actions are required to obtain the same information regarding the customer's ISP? Is it sufficient to ask the customer if their ISP blocks any ports services, or are we expected to perform additional testing, or contact the ISP ourselves to confirm there will be no interference with the scan?
Thanks
Jane Laroussi, CISSP, QSA