Filtering on the external interface is suggested for remediation of this QID. Specifically, what is expected in "filtering?"
our IPS is on the external side of the FW so we ACL those ports off on that port pair as a way to block the ports. not ideal but quicker than the FW admins doing it in our environment.
Typically for PCI Compliance any Administration of core devices should occur securely, from an internal perspective. There is an inherent risk in having Administrative Interfaces open to the internet, where any internet user could attempt to login to the device.
PCI recommends that Administrative interfaces only be accessible from specific IP ranges, such as your internal corporate ranges. The idea is that if an Administrator needed to access that device when remote, they could 1st VPN into your company, and then Remote over to the device, as opposed to accessing it directly over the internet.
The solution would therefore be to filter off these administrative ports/interfaces, by using an ACL to only allow your corporate IP Ranges to access those ports.
Retrieving data ...