Title: Vulnerabilities Post by: fackler on Wednesday 20 January 2010, 07:29:40 am I have been setting up EFW for evaluation for going into a production area and part of the eval is to run security scans on it. So I run Nessus on the thing and come back with a disconcerting number of vulnerabilities for what is supposed to be a network securing device. Here are some of the vulnerabilities:
80 tcp HTTP Server Medium HTTP TRACE / TRACK Methods Allowed 3001 tcp NTOP Server Medium SSL Medium Strength Cipher Suites Supported Medium SSL Weak Cipher Suites Supported Medium SSL Certificate Expiry Medium SSL Version 2 (v2) Protocol Detection 10443 tcp HTTPS Server Medium SSL Weak Cipher Suites Supported Medium SSL Medium Strength Cipher Suites Supported Whats the deal guys? Did you forget to test your product against a vulnerability scanner? Some of you may be thinking, "Yes, but those ports are only exposed internally." I may end up having to use that excuse, er mitigating control, but that still presents me with something I have to convince my auditor about, and I don't like the implications towards real security. I wouldn't be so grouchy if you didn't go and move all the furniture around though, what the heck did you do with ssl.conf? And how do I secure NTOP's little server? Title: Re: Vulnerabilities Post by: kcwhited on Thursday 28 January 2010, 08:02:18 am I have a similar issue, anyone know where to find ssl.conf would be appreciated
not sure what you are looking for with NTOP though... Title: Re: Vulnerabilities Post by: fackler on Thursday 11 February 2010, 07:58:41 am NTOP is where the "Traffic Graphs" page in the "Status" section comes from. If you go to "Services"->"Traffic Monitoring" then click on "Enable Traffic Monitoring" you will activate the NTOP web server. It is hosted at port 3001. It will give you loads of nifty information about your network traffic.
I think that the only thing you turn off with the "Enable Traffic Monitoring" button is NTOP's web server because the "Status"->"Traffic Graphs" pages seems unaffected by turning off "Traffic Monitoring". The problem with NTOP's little web server though is that they used a weak cipher suite and the certificate has expired. So every time I scan the firewall I get those vulnerabilities. It is uncomfortable to say the least when you are trying to explain to the security auditor why your primary network securing device has vulnerabilities like this. So I guess the it comes down to: how do I update/change the SSL certificates for EFW's http interface and how do I do the same for NTOP's web server? |