Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2338
Views
0
Helpful
5
Replies

Problem with Security Cert. /PCI Compliance Problems.

hpchadmn67
Level 1
Level 1

‎07-21-2011 01:27 PM

We recently replaced an older RV042 router with a brand new RV042 v3 in the office. Shortly thereafter, we started failing our PCI compliance scans from SecurityMetrics. Basically, in order to stay "verified secure", SecurityMetrics just routinely scans our public IP address for security vulnerabilites because we handle some sensitive information in our organization. The scan results are as follows:

Security Vulnerabilities
ProtocolPortProgramRiskSummary
TCP443https4Synopsis : The remote service supports the use of anonymous SSL ciphers. Description : The remote host supports the use of anonymous SSL ciphers. While this enables an administrator to set up a service that encrypts traffic without having to generate and configure SSL certificates, it offers no way to verify the remote host's identity and renders the service vulnerable to a man-in-the-middle attack. Note: This is considerably easier to exploit if the attacker is on the same physical network. See also : http://www.openssl.org/docs/apps/ciphers     .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
[Hide]
TCP443https4Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits. Note: This is considerably easier to exploit if the attacker is on the same physical network. Solution: Reconfigure the affected application if possible to avoid use of medium strength ciphers. Risk Factor: Medium  / CVSS Base Score : 4.3 (CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
[Hide]



Whenever I go to log on to the router with a browser (IE, Firefox, Chrome), I get a warning that there is a problem with the security certificate and I have to add an exception in order to view the page. I think these two problems are somehow related but I haven't a found solution yet.

SecurityMetrics support pretty much said it's not their problem and to contact the router mfg. instead.

Any suggestions?

Labels:
0 Helpful
5 Replies 5

David Carr
Level 6
Level 6

‎07-21-2011 01:51 PM

Tyson,

Make sure that administration to the router via https is turned off.  Then turn off remote management and remote vpn options.

After that you should pass the pci compliance scan.

0 Helpful

hpchadmn67
Level 1
Level 1
In response to David Carr

‎07-21-2011 02:02 PM

Can you tell me where that setting is located? I had thought of that before but never found an option to disable it.

::edit::

Setting for disabling https admin, that is.

0 Helpful

Te-Kai Liu
Level 7
Level 7
In response to hpchadmn67

‎07-21-2011 02:43 PM

According to the release notes, firmware 4.0.3.03 has resolved this issue.

Disabled support for low- and medium-strength ciphers (for example, 128

bits or shorter) for SSL encryption.

0 Helpful

jasbryan
Level 6
Level 6
In response to Te-Kai Liu

‎07-21-2011 02:50 PM

Tyson,

Under firewall tab,

Make sure remote management is disabled.

Now disable HTTPS

Save settings.

Thanks,

Jasbryan

Cisco Support Engineer

.:|:.:|:.

0 Helpful

hpchadmn67
Level 1
Level 1
In response to jasbryan

‎07-22-2011 06:35 AM

Thanks. I will try simply disabling the https first and if that doesn't work, I'll upgrade the firmware.

I can't run a scan on demand so I'll have to wait a few days until the next one runs.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents