Security

Reply
Regular Contributor I

ClearPass Policy Manager PCI-DSS scan

According to PCI requirements 4.1, you must “use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.” 

 

When scanning CPPM for these requirements, it fails the PCI scan with the following results:

 

_______________________________________________________________

Supported Server Cipher(s):
Accepted SSLv3 256 bits DHE-RSA-AES256-SHA
Accepted SSLv3 256 bits AES256-SHA
Accepted SSLv3 128 bits DHE-RSA-AES128-SHA
Accepted SSLv3 128 bits AES128-SHA
Accepted SSLv3 168 bits EDH-RSA-DES-CBC3-SHA
Accepted SSLv3 168 bits DES-CBC3-SHA
Accepted TLSv1 256 bits DHE-RSA-AES256-SHA
Accepted TLSv1 256 bits AES256-SHA
Accepted TLSv1 128 bits DHE-RSA-AES128-SHA
Accepted TLSv1 128 bits AES128-SHA
Accepted TLSv1 168 bits EDH-RSA-DES-CBC3-SHA
Accepted TLSv1 168 bits DES-CBC3-SHA

 

Prefered Server Cipher(s):
SSLv3 256 bits DHE-RSA-AES256-SHA
TLSv1 256 bits DHE-RSA-AES256-SHA

_______________________________________________________________

 

It needs to be SSLv3 RC4 128 for preferred cipher or similar to below:

 

ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"

 

TAC is telling me that the apache settings shall not be modified as this could affect other services using TLS/SSL. Please find the default cipher configuration on Clearpass SSL configuration file.

 

#   SSL Cipher Suite:

# List the ciphers that the client is permitted to negotiate.

# See the mod_ssl documentation for a complete list.

SSLCipherSuite ALL:!aNULL:!EXPORT:!SSLv2:RC4+RSA:+HIGH:-MEDIUM:-LOW

 

Has anyone had to deal with this and if so, how do you correct the issue? 

Regards,

Josh
___________
ACMP, ACCP

Re: ClearPass Policy Manager PCI-DSS scan

You can submit an email and see all our latest notices for vulnerabilities here:

http://www.arubanetworks.com/support-services/security-bulletins/

 

Some times the compliance scanners out there yield false positives due to "backporting" of patches and updates.  It is recommended to perform an authenticated scan into Clearpass for more accurate results.

Seth R. Fiermonti
Consulting Systems Engineer - ACCX, ACDX, ACMX
Email: seth@hpe.com
-----
If you found my post helpful, please give kudos
Regular Contributor I

Re: ClearPass Policy Manager PCI-DSS scan

Forgive my ignorance but can you elaborate on what you mean by an authenticated scan?

Regards,

Josh
___________
ACMP, ACCP
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: