When a Cloudflare target is not properly configured and has ports that are not dedicated to web applications, scanning it for Payment Card Industry Data Security Standard (PCI DSS) compliance can be time-consuming due to several reasons:
PCI compliance requires scanning all the ports of the target system to identify any potential vulnerabilities or open ports that could be exploited by attackers. If the target system has additional ports that are not dedicated to web applications, the scanning process needs to cover those ports as well, increasing the time required for a comprehensive scan.
During the scanning process, the scanning tool needs to identify the services running on each port to assess their compliance with PCI DSS requirements. If non-web application services are present on additional ports, the scanning tool must spend more time attempting to identify and analyze those services to determine their compliance status.
Scanning non-web application ports may result in false positive findings, where the scanning tool incorrectly identifies a vulnerability or non-compliance issue due to the presence of unrelated services. These false positives require additional effort to investigate, validate, and exclude from the final compliance assessment.
If non-compliant services or vulnerabilities are detected on the non-web application ports, remediation steps may be necessary to address those issues. This could involve reconfiguration, patching, or securing the services running on those ports, which can further prolong the time required to achieve PCI compliance.
Scanning additional ports and services increases the resource utilization of the scanning tool and the target system. The scanning process may take longer and consume more system resources, potentially impacting the performance of the target system and other network components.
To streamline the PCI compliance scanning process, it is recommended to properly configure Cloudflare targets and ensure that only necessary ports for web applications are exposed. This helps focus the scanning efforts on the relevant components, reducing time, effort, and potential false positives associated with non-web application ports.
How to block traffic on additional ports: