This is a different version of something that has been posted here by multiple people: Pepwaves failing PCI compliance scans due to responding on TCP 32015 (speedfusion) and because it fails to pass on the certificate.
This has gone from an annoyance to a major problem due to trustwave expanding the standard scan to cover all these ports, and to fail based on invalid certs.
I know that we can solve the cert issue by manually installing a cert from letsencrypt (you can install a cert for the web admin via incontrol, but not for speedfusion). But I really, really do not want to do that for 400 devices!
But…these pepwaves are the speedfusion remote peer. They all have the OTHER end’s remote IP listed. Why are they even responding to the scan? i.e. if device X is only supposed to connect to Device Y at IP 18.104.22.168, why is device X responding on port 32015 from any other IP? WHy allow people to see/attack this port at all?
So - my request is to have an optional checkbox (default checked) on the speedfusion profile screen saying “Only respond to listed IPs”. if checked, then the pepwave should silently drop any packet to the speedfusion port unless from an ip in the “Remote IP Address / Host Names (Optional)” list
(edit) or…alternatively, if the remote unit has the IP entered for the other end, does it EVER need to respond to unsolicited inbound? Could it just be a checkbox (again default checked) saying “if remote IPs listed, do not respond on inbound requests” or something like that.
I currently have 20 or 30 customers kicking my ass over this.