Hello,

Could someone specify what does it mean external and internal scan/penetration testing ?

We have company with LAN connected to internet through firewall. Inside LAN there is another LAN with own firewall where CHD are processed.

Thus, external scan will be from internet or from company LAN against CHD environment FW? Internal scan will be from company LAN or from computer connected after FW inside CHD environment ?

Thank you in advance

Hello,

Could someone specify what does it mean external and internal scan/penetration testing ?

We have company with LAN connected to internet through firewall. Inside LAN there is another LAN with own firewall where CHD are processed.

Thus, external scan will be from internet or from company LAN against CHD environment FW? Internal scan will be from company LAN or from computer connected after FW inside CHD environment ?

Thank you in advance

External scan should be seen as anything "public" facing (so, yes, coming from outside on the internet would be considered "external") - these are the types of scans that your vendor who does your quarterly scans would be doing.
Internal pen testing starts when you're behind the firewall and on the company LAN - when performing their audits, QSAs should be doing both internal and external scans with they assess your network and environment.

To clarify further.

Vulnerability scanning is the process of scanning a network to determine if it has any potential vulnerabilities. This is typically done with a vulnerability scanner like Tenable's Nessus, IBM/ISS's Internet Scanner or SAINT's SAINT scanner.

Vulnerability scanners typically do not prove whether or not the vulnerability can actually be exploited. That is where penetration testing comes in. Penetration testing takes over where vulnerability scanning leaves off. The purpose of penetration testing is NOT as some people like to portray it, as a license to crash networks and/or servers. Penetration testing is performed to prove whether or not a vulnerability can actually be exploited and therefore used to compromise a network or device. Penetration testing is also typically done with tools such as Metasploit, Core Impact or SAINTexploit. However, there is a high risk that devices may become inoperable or crash due to penetration testing, so care should be taken when conducting it.

For PCI compliance, external vulnerability scans are required to be performed at least quarterly and must be performed by an Approved Scanning Vendor (ASV). An external vulnerability scan is also required any time significant changes are made to your applications and/or network. For external penetration testing, anyone that is qualified can conduct the penetration testing and it needs to be performed at least annually or whenever significant changes occur to networks or applications.

Internal vulnerability scanning and penetration testing needs to be performed at least annually or whenever any significant changes occur to your internal network or applications. These scans and tests can be performed by anyone that is qualified to conduct such scanning and testing. By qualified, it should be people that have a background in networks and security and can interpret the results of the scanning and testing.

Finally, for PCI compliance, only those external and/or internal network devices and servers that process, store or transmit cardholder data (CHD) need to be vulnerability scanned and penetration tested. Network devices are defined as routers, firewalls, load balancers, switches and any other networking equipment that is in-scope for PCI compliance.

To clarify further.

Internal vulnerability scanning and penetration testing needs to be performed at least annually or whenever any significant changes occur to your internal network or applications. These scans and tests can be performed by anyone that is qualified to conduct such scanning and testing. By qualified, it should be people that have a background in networks and security and can interpret the results of the scanning and testing.



I was under the impression that Internal VA scanning is required on a quarterly basis ( for Merchant Levels 1-3) starting in 2009. Did I misunderstand something?

You are correct. Internal vulnerability scanning is also required on a quarterly basis.

I'm working on one of my last v1.1 ROCs and I'm tripping over the v1.1 versus v1.2 requirement changes.

From http://forum.aegenis.com/showthread.php?t=714&page=2 it looks like when CDE is not bounded on internet, but through firewall only to company LAN which has another firewall bounded to Internet the external scans (vulnerability and penetration) are not mandatory. These scans really won't see or reach any hosts from CDE. But maybe external scan will mean in that case from company LAN against CDE FW ? And internal - from computer inside CDE ?