SSL VPN Configuration not passing compliance scans
Hello, We need to do PCI compliance and our SSL VPN keeps getting flagged as a vulnerability. Is there anything I can do to make this not get flagged. Or is there a different mobile VPN that is recommended?
Thanks,
0
Sign In to comment.
Comments
What are the details of the reported vulnerability ?
Hi @Meeks
There's a few things you can do, but we'd need more details on what's being hit in the scan (please be sure to exclude any bits with your public hostname/IP.)
-Ensure you're running the latest version of Fireware. You can find it at software.watchguard.com.
-Check your encryption and authentication settings in the advanced tab of your SSLVPN. Ensure you're using something modern (MD5, and Blowfish would be bad, AES 256 would be better.)
-Ensure that your certificate is up to date. PCI generally requires that you use a certificate that is signed by a 3rd party certificate authority. If you're using a self-signed certificate, or it's expired, that will usually cause them to flag it as an issue.
Thank you,
-James Carson
WatchGuard Customer Support
SSL Version 3.0, Self Signed Certificates are the big ones
Hi @Meeks
We don't use SSLv3 on the newer versions of Fireware -- so upgrading to the newest version of Fireware will be your best bet. You can find that at software.watchguard.com
For the self signed certificate, you'll need to get a certificate that's signed by a 3rd party Cert Authority and install it on the firewall. If you already have one (like a wildcard certificate for your domain) you can use that too provided you have the public and private key.
(Import and Install a Third-Party Web Server Certificate)
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/thirdparty_webserver_certificate_c.html
-James Carson
WatchGuard Customer Support
I have a bookkeeper client who gets the SSLVPN flagged every time a PCI scan is done. She has 12.5.2 U1 and a public cert. The issue with the company that does the scan is that if it sees ANY port open, they flag it, PERIOD. We have to explain to them each time what it is and show why it is secure, then they make an exception. For this company, the point is not whether or not hte port is secure, it's whether or not it's open at all.
Gregg Hill