System Responds to SYN+FIN Help 1

[Configureit]

I'm trying to become PCI compliant and the only thing holding me up is this SYN+FIN. I've created an ACL

access-list 161 deny tcp any any established fin psh syn urg
access-list 161 deny tcp any any rst syn
access-list 161 deny tcp any any fin rst syn
access-list 161 deny tcp any any established fin syn
access-list 161 deny tcp any any fin syn
access-list 161 deny tcp any any ack fin syn

I'm running a cisco 1712 with 12.3(7)xr

Below is what they are telling me.

System Responds to SYN+FIN
This device responded to a TCP packet with both the SYN and FIN
bits set. Such packets, which do not occur in normal network traffic,
have been used by attackers to bypass the security rules configured in
various firewalls.
Bugtraq: 7487
CVSSv2: AV:N/AC:L/Au:N/C:N/I/A:N (Base Score:5.00)

We are using NAT with no current firewall configred, any help would be great.

Thank you

 

[brianinms]

Well that is what you call a false positive. Whoever conducted the assessment merely ran a Nessus scan and printed out the report. Basically they didn't have a clue what they are doing. Bugtraq id 7487 doesn't affect Cisco products thus you are in the clear as it is a false positive.

http://www.securityfocus.com/bid/7487/info

On a side note PCI DSS requires stateful packet inspection and that is a feature that a router such as the 1721 doesn't offer. I would look to upgrade to a Cisco ASA.

 

[Configureit]

Brianinms thank you for the help, after reading your post and doing a little more pointed research, I appealed the scan findings and they now show me as PCI Compliant, they didn't even ask me any questions regarding the appeal. Again I appreciate the help.