Tuesday, January 28, 2014

A word about achieving PCI compliance on Smoothwall systems

Many people use security scanning software to audit the network. Either generally as part of day-to-day network operations, or when evaluating some new product.

These tools are fine and serve a useful purpose.  However, as with many tools, they are only as good as the person interpreting the scan results.  Oftentimes we will have customers contact our Managed Services department with an enquiry about the results from such scans.  Occasionally it looks as if the Smoothwall system is rife with issues; the scanning software occasionally highlighting "critical" problems which, on closer inspection, mean very little at all from an real-world threat perspective.

Some examples of the kind of output you might see when scanning:

  • "The web-server presents a self-signed certificate" - This "vulnerability" relates to the fact that the Smoothwall, in a standard shipping configuration, presents its' HTTPS connection with an automatically created self-signed certificate and not one you could purchase from a Certificate Authority. Generally these self-signed certs are adequate for small deployments, and indeed you should consider that the scanner is highlighting a configuration decision made on the part of the administrator, and not showing a real world vulnerability.
  • "TCP Timestamp response" - TCP timestamps are a performance feature for increasing the speed of TCP sessions (RFC1323). Nonetheless, the PCI scan will show a low-level vulnerability because the TCP timestamp can be used to determine the target system's uptime, which is (theoretically) useful to an attacker. In any case this option can be disabled using the Networking > Settings > Advanced page. Note that Smoothwall ships with this option enabled, because in the general case network performance is paramount.
  • "ICMP timestamp response"- Similar to the above. ICMP timestamps, while a feature of a standards-compliant TCP/IP stack, are not very useful to anyone and present a generally useless information leak to a potential attacker. A future update will add the ability to disable these responses through the admin interface all the same. In the mean time, this should not be considered a concern and disabling this feature's biggest benefit will be to succeed in giving you warm fuzzy feelings because your scanner now produces less output.
  • "Apache HTTPD: ETag Inode Information Leakage"- ETags are a mechanism used by browsers to know if URLs have changed on the server, so that the browser can know if it has to re-download the URL. A current Smoothwall will generate these tags, to assist the browser in caching images etc. However, in 2003 a vulnerability report was raised against this behaviour in the Apache webserver which Smoothwall incorporates. This vulnerability relates specifically to the use of ETags in file sharing (NFS) setups, something that Smoothwall has never and will never do. This vulnerability is therefore a prime candidate to be considered a false-positive. But nevertheless, the utility of these ETags is not high, so in a a future update ETags will be disabled just to quieten this report from PCI scanners.
  • "Weak Cryptographic Key" - This is the closest thing to a genuine issue so far listed. Over time, computers become faster. This PCI scanner message is an artefact of this and appears because the previously described self-signed certificate is signed with a 1024 bit key. Only a few years ago this was considered excessively long, but up-to-date PCI scanners now flag this as being not completely adequate. It should be pointed out that breaking a "mere" 1024 bit key still requires many years, even with thousands of computers working at the problem. But still, the NSA is rumoured to be able to crack 1024 bit encryption. And in keeping with PCI recommendations, Smoothwall will switch to using 2048 bit keys in all of it's internally generated certificates and keys.
I hope the reader finds this information useful. As the old saying goes "Security is a process". There are no magic bullets, or black and white answers, but the following is a good start:
  • Keep your systems up to date
  • Expose services only to the people who need, and use them
  • Perform regular audits

No comments:

Post a Comment