We have had to get our home network scanned internally for PCI compliance. The only "high risk" problem that is flagged (causing us to fail the scan) is that Airport Utility sends the Airport Extreme administration password across the network effectively unencrypted.
What's really surprising is that this problem has existed since 2003.
The scanning tool I'm using suggests the solution is to 1) block port 5009, and 2) administer the Airport Extreme only via a direct connection with a cross-over cable.
However, another security site suggest that Apple's response to the vulnerability is that the Airport Extreme should only be administered using an encrypted Airport connection, but that the security site disagrees (presumably because at the time this involved WEP) and says a wired connection is required.
I'm fairly new to this PCI compliance stuff - but my interpretation is that we need to pass the scan to comply. However, there seems to be no way to configure the Airport Extreme to block port 5009. Therefore even if I only administer the unit securely (with via WPA2 or by crossover cable so that the password is not sent around the network unencrypted) it will still fail the internal scan.
The network is very small, in a domestic property, so in reality there is almost zero risk, so it doesn't feel like it warrants buying another brand of router.
Has anyone dealt with this scenario of Airport Extreme failing Internal Network Vulnerability Scans? Is there any way of configuring it to block port 5009? When I try to use port mapping it tells me that the port conflicts with a configuration port.
What's really surprising is that this problem has existed since 2003.
The scanning tool I'm using suggests the solution is to 1) block port 5009, and 2) administer the Airport Extreme only via a direct connection with a cross-over cable.
However, another security site suggest that Apple's response to the vulnerability is that the Airport Extreme should only be administered using an encrypted Airport connection, but that the security site disagrees (presumably because at the time this involved WEP) and says a wired connection is required.
I'm fairly new to this PCI compliance stuff - but my interpretation is that we need to pass the scan to comply. However, there seems to be no way to configure the Airport Extreme to block port 5009. Therefore even if I only administer the unit securely (with via WPA2 or by crossover cable so that the password is not sent around the network unencrypted) it will still fail the internal scan.
The network is very small, in a domestic property, so in reality there is almost zero risk, so it doesn't feel like it warrants buying another brand of router.
Has anyone dealt with this scenario of Airport Extreme failing Internal Network Vulnerability Scans? Is there any way of configuring it to block port 5009? When I try to use port mapping it tells me that the port conflicts with a configuration port.
