PCI DSS Compliance on Cisco ACS 5.0
Dear
During our recent VA we were told that the below vulnerabilities are exist in the ACS
SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
Vulnerability on port 443
SSL Weak Cipher Suites Supported on port 2030
SSL Medium Strength Cipher Suites Supported on port 2030
Can anybody kindly guide me on how to solve these issues
Best regards
Muralee
To log in to ACS server and access the CLI, use an SSH secure shell client or the console port.
Accessing the ACS CLI
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.0/command/reference/CLIuse.html#wp1096003
Regards,
Jatin
Similar Messages
-
PCI DSS Compliance - Requirements 5 & 6
We are currently applying for PCI Compliance, and are required to answer the following questions. Since our solution is hosted on Windows Azure, are these questions relevant? Can anyone please suggest where we might establish the answers to these, with respect
to our Azure environment?
Requirement 5: Use and regularly update anti-virus software or programs
5.1: Is anti-virus software deployed on all systems commonly affected by malicious software?
5.1.1: Are all anti-virus programs capable of detecting, removing and protecting against all known types of malicious software (for example, viruses, Trojans, worms, spyware, adware, and rootkits)?
5.2: Is all anti-virus software current, actively running, and generating audit logs, as follows:
(a) Does the anti-virus policy require updating of anti-virus software and definitions?
(b) Is the master installation of the software enabled for automatic updates and scans?
(c) Are automatic updates and periodic scans enabled?
(d) Are all anti-virus mechanisms generating audit logs, and are logs retained in accordance with PCI DSS Requirement 10.7?
Requirement 6: Develop and maintain secure systems and applications
6.1:
(a) Are all system components and software protected from known vulnerabilities by having the latest vendor-supplied security patches installed?
(b) Are critical security patches installed within one month of release?Have a look at Microsoft Endpoint Protection for Windows Azure.
http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx -
Achieving PCI DSS compliance of BPEL/ESB components ?
Hi all,
I'd like to get some input on achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS). Issues arise in particular with dehydration and audit trails vs. requirements 3.3 and 3.4.
Has anyone looked at this and if so, how did you approach it ?
Regards,
DiegoHave a look at Microsoft Endpoint Protection for Windows Azure.
http://blogs.msdn.com/b/windowsazure/archive/2012/03/26/microsoft-endpoint-protection-for-windows-azure-customer-technology-preview-now-available-for-free-download.aspx
http://blog.maartenballiauw.be/post/2012/03/27/Protecting-Windows-Azure-Web-and-Worker-roles-from-malware.aspx -
W2003 DNS cache snooping vulnerability for PCI-DSS compliance.
Hi everyone.
How can I solve this security vulnerability reported by Nessus(security software) with W2003's DNS ?
DNS Server Cache Snooping Remote Information Disclosure
Synopsis:
The remote DNS server is vulnerable to cache snooping attacks.
Description:
The remote DNS server responds to queries for third-party domains that do not have the recursion bit set. This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently
visited. For instance, if an attacker was interested in whether your company utilizes the online services of a particular financial institution, they would be able to use this attack to build a statistical model regarding company usage of that financial institution.
Of course, the attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more. Note: If this is an internal DNS server not accessable to outside networks, attacks would be limited to the internal network. This may include
employees, consultants and potentially users on a guest network or WiFi connection if supported.
Risk factor:
Medium
CVSS Base Score:5.0
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
See also:
http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf
Solution:
Contact the vendor of the DNS software for a fix.
Plugin output:
Nessus sent a non-recursive query for example.com and received 1 answer : 192.0.43.10
I have been searching for a solution at the web...but I was unabled to find one..that could let me to use "recursion" at our DNS server.
We have an internal DNS server for Active Directory, with a forwarding to resolve external internet domains as is a requirement by our application..but now the only way to fix this is to disable "recursion" and we are working with external IP address instead
of internet DNS names..but this is not a good solution for us.
I found something about spliting DNS functions, but my point is that we have all the servers internal and DMZ, inside the same AD domain..so we need to use the same DNS server AD integrated, notwithstanding we must resolve external DNS records for our application...How
can I do this without getting the same vulnerability again ? I don´t know how to do it disabling "recursion"..If I disable recursion I will be unable to resolve external DNS names.
Any suggestion will be really appreciated!!
thx!!That's basically for your internet facing DNS. I wouldn't worry about it too much for internal DNS, since that's only hosting your internal AD zone.
Other than setting the "Secure cache against polution" setting, you can also opt to disable caching of all records so each and every query is a fresh query. This actually fixes CNAME vs A record TTL mismatch issues, too, not that you're probably seeing them
or not, but just wanted to add that:
Description of DNS registry entries in Windows 2000 Server, part 2 of 3 (applies to 2003, 2008 & 2008 R2)
http://support.microsoft.com/kb/813964
Cannot resolve names in certain top level domains like .co.uk.
http://blogs.technet.com/b/sbs/archive/2009/01/29/cannot-resolve-names-in-certain-top-level-domains-like-co-uk.aspx
============
To turn off or disable local cache: (WIndows 2000 notes, but they apply to all current OS's)
Set the MaxCacheTtl to 0 in the registry or use Dnscmd
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Value: MaxCacheTtl
Type: DWORD
Default: NoKey (Cache for up to one day)
Function: Set maximum caching TTL.
MaxCacheTtl
Type: DWORD
Default value: 0x15180 (86,400 seconds = 1 day)
Function: Determines how long the DNS server can save a record of a
recursive name query.
You can use the MaxCacheTtl registry entry to specify how long the DNS
server can save a record of a recursive name query.
If the value of the MaxCacheTtl entry is 0x0, the DNS server does not save
any records.
The DNS server saves the records of recursive name queries in a memory cache
so that it can respond quickly to new queries for the same name. Records are
deleted from the cache periodically to keep the cache content current. The
interval when the records remain in the cache typically is determined by the
value of the Time to Live (TTL) field in the record. The MaxCacheTtl entry
establishes the maximum time that records can remain in the cache. The DNS
server deletes records from the cache when the value of this entry expires,
even if the value of the TTL field in the record is greater.
Change method
To change the value of the MaxCacheTtl entry, use Dnscmd.exe, a tool that is
included with the Windows 2000 Support Tools. The change is effective
immediately so that you do not have to restart the DNS server.
Start method
DNS reads its registry entries only when it starts. If you change the value
of the MaxCacheTtl entry by editing the registry, the changes are not
effective until you restart the DNS server.
Note the following items: . Windows 2000 does not add the MaxCacheTtl entry
to the registry. You can add it by editing the registry or by using a
program that edits the registry.
The MaxCacheTtl entry does not affect Windows Internet Name Service
(WINS) data that is saved in the DNS memory cache. WINS data is saved until
the Cache Timeout Value on the WINS record expires. To view or change the
Cache Timeout Value on the WINS record, use the DNS snap-in. Right-click a
zone name, click Properties, click the WINS tab, and then click Advanced.
===============================
Ace
Ace Fekay
MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights. -
Data Security Standard PCI-DSS - SAP Datacenter
Hello,
one of our prospect asked the following question: Does the SAP Datacenter in Germany fullfill the requirements of PCI-DSS?
It seems that this Standard is related to the Payment Card Processing.
I checked all certifiates but I don´t find any infomation about that Standard.
Best Regards
Andreas CzechHi Gina,
Did you find good information about PCI-DSS compliance topics with SAP from this forum? In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
We would appreciate any guidance.
Thank you, TMM -
PCI DSS - Payment Card Industry / Data Security Standard
Hello Guru's;
Has anyone implemented the necessary security around credit cards according to the latest PCI DSS? If so - I'd like to chat about that. It's no longer just encrypting the credit card information, it's much more... Would love to hear good and bad.
Thanks!
GinaHi Gina,
Did you find good information about PCI-DSS compliance topics with SAP from this forum? In particular we are looking at options to comply with requirement 11, File Integrity Monitoring.
We would appreciate any guidance.
Thank you, TMM -
Looks like the RV042G needs another firmware updates as the units we have in the field are now not passing PCI DSS Scans. Dealing with the compliance scanning companies, they are telling me that the firmware is the way to fix this. Here are the errors reported:
Cross-site scripting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
Description: Several types of web servers and CGI programs include the user's request in their response. For example, a request for the page http://server/nonexistent_page.html may cause server to respond: The page nonexistent_page.html does not exist on this server.
Response splitting vulnerability in portalname parameter to /cgibin/userLogin.cgi - FAIL
Description: Some programs on web servers place user- supplied parameters into certain HTTP headers.
I am using port 443 for remote access to the devices. Moving the port simply changes the reported failure to that port. Any suggestions or has anyone heard for a firmware update coming soon for this device?
Thanks. JohnHi dwyerja01,
Unfortunately I do not think Cisco is going to do anything about this. I have emailed my sales support contact (no response), called tech support (clueless on when or if there will be a firmware update - the only way to fix this) and posted here (no response from Cisco).
With that said, we have begun a transition away from Cisco Small Business gear. While this is disappointing for us, supporting their router platform is just not a priority for them (or so it seems).
If we get lucky, maybe a new firmware will drop. Fingers crossed!
If I find or get more information I will post back here (please do the same).
John -
LMS 4.2 PCI - DSS update
Hi,
Currently i'm using LMS 4.2[compliance report feature] pulled an PCI DSS report. in the report there 27 kind of rule titles.
i needed to update the same to newer version available so all the rule titles are visible in the report. are there any update regarding the compliance reports??
Regards,
ChannaHi All,
Any suggestions??
Regards,
Channa -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
hi,
I'm trying to setup a VPN solution, connecting to a 800 series router and authenticating off a Cisco ACS tacacs server.
I've basically followed the suggested config at http://www.cisco.com/en/US/customer/tech/tk59/technologies_configuration_example09186a00800a393b.shtml and the setup works fine if I use local authentication, but as soon as I switch to using TACACS the client authentication fails.
Debugging tacacs on the router i can see the requests being sent to the server, and the replies coming back - the login detail are definitely correct so I'm guessing that TACACS isn't authorising me to use VPN or IPSEC or something. But there is nothing in the ACS logs to suggest why I'm not getting through - no failed attempts are shown.
Any ideas?here is some debug from the router:
Feb 24 12:28:58.973 UTC: TPLUS: processing authentication start request id 129
Feb 24 12:28:58.973 UTC: TPLUS: Authentication start packet created for 129(vpngroup)
Feb 24 12:28:58.973 UTC: TPLUS: Using server 10.10.10.10
Feb 24 12:28:58.973 UTC: TPLUS(00000081)/0/NB_WAIT/823A9F04: Started 5 sec timeout
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: socket event 2
Feb 24 12:28:58.989 UTC: T+: Version 192 (0xC0), type 1, seq 1, encryption 1
Feb 24 12:28:58.989 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:58.989 UTC: T+: type:AUTHEN/START, priv_lvl:1 action:LOGIN ascii
Feb 24 12:28:58.989 UTC: T+: svc:LOGIN user_len:8 port_len:0 (0x0) raddr_len:0 (0x0) data_len:0
Feb 24 12:28:58.989 UTC: T+: user: vpntest
Feb 24 12:28:58.989 UTC: T+: port:
Feb 24 12:28:58.989 UTC: T+: rem_addr:
Feb 24 12:28:58.989 UTC: T+: data:
Feb 24 12:28:58.989 UTC: T+: End Packet
Feb 24 12:28:58.989 UTC: TPLUS(00000081)/0/NB_WAIT: wrote entire 28 bytes request
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:58.993 UTC: TPLUS(00000081)/0/READ: Would block while reading
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 12 header bytes (expect 16 bytes data)
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: socket event 1
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/READ: read entire 28 bytes response
Feb 24 12:28:59.009 UTC: T+: Version 192 (0xC0), type 1, seq 2, encryption 1
Feb 24 12:28:59.009 UTC: T+: session_id 1729330768 (0x67137E50), dlen 16 (0x10)
Feb 24 12:28:59.009 UTC: T+: AUTHEN/REPLY status:5 flags:0x1 msg_len:10, data_len:0
Feb 24 12:28:59.009 UTC: T+: msg: Password:
Feb 24 12:28:59.009 UTC: T+: data:
Feb 24 12:28:59.009 UTC: T+: End Packet
s9990-cr#
Feb 24 12:28:59.009 UTC: TPLUS(00000081)/0/823A9F04: Processing the reply packet
Feb 24 12:28:59.009 UTC: TPLUS: Received authen response status GET_PASSWORD (8)
"AUTHEN/REPLY status:5" is a permanent fail according to the TACACS RFC
In the VPN Client log it say "User does not provide any authentication data"
So to summarise:
-Same ACS server\router\username combination works fine for telnet access.
-VPN works fine with local authentication.
-No login failures showing in the ACS logs. -
Cisco ISE 1.2 and Cisco ACS 5.4 patch 6 and support for snmp version 3
does anyone know if cisco ISE version 1.2 patch 8 and Cisco ACS 5.4 patch 6 support snmp version 3?
ciscoISE/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
ciscoISE/admin(config)# snmp-server
Ciscoacs/admin(config)# snmp-server ?
community Set community string
contact Text for mib object sysContact
host Specify hosts to receive SNMP notifications
location Text for mib object sysLocation
Ciscoacs/admin(config)# snmp-serverNo support SNMP v3 on ISE v1.2 and 1.3 except for profilling
http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/cli_ref_guide/ise_cli/ise_cli_app_a.html#12768
http://www.cisco.com/c/en/us/td/docs/security/ise/1-3/cli_ref_guide/b_ise_CLIReferenceGuide/b_ise_CLIReferenceGuide_chapter_0100.html#ID-1364-00000d30 -
Linksys WAP54G connecting to CISCO ACS via LEAP
I understand that Linksys WAP54G support WPA and 802.1x authentication. Will a cisco compatible client card get connected to the WAP54G via LEAP authentication to a Cisco ACS server ?
Connection scenario:-
Cisco compatible client card <-WPA/LEAP-> WAP54G <-WPA/LEAP-> Cisco ACS3.1
Pls advise if such setting is feasible.
TksThis is really a question for Linksys support. The Cisco wireless BU has no involvement with the Linksy's product line. They operate as a totally separate wholly own subsidiary of Cisco.
As for LEAP, no, to my knowledge the Linksys AP does not support LEAP, which is not tested or part of the WPA certification program. To my knowledge the ONLY APs that support LEAP are Cisco Aironet APs.
If the Linksys supports WPA-Enterprise, then any client that supports WPA-Enterprise should work using EAP-TLS. The Cisco ACS server supports EAP-TLS.
One word of caution. Early CCX cards do not necessarily support WPA. The CCX specification and certification were out before WPA was released. You will need to check with the actual vendor of the card to verify WPA compatibility.;
Also there are two types of WPA. WPA-Personal, which supports only the WPA encryption, and the keys are handles by a Pre-shared Key input system (no radius server) and WPA-Enterprise, which is certified using WPA encryption an 802.1x EAP-TLS radius server (in fact using Microsoft and Funk Software servers). make sure that the Linksys supports WPA-enterprise, or it may not support 802.1x.
Bruce Alexander, Cisco -
Using Cisco ACS for Solaris login authentication
Hi all
I am planning to authenticate ssh logins to Solaris 8/9 systems using PAM and radius (while radius is considered the primary solution, tacacs+ could be used, too). The radius/tacacs+ server is provided by a Cisco ACS.
Can anybody out there confirm that the combination "Solaris & PAM & radius/tacacs+ & Cisco ACS" is correctly doing this authentication stuff? Is there anything to specially consider?
Thanks, DavidHard to comment with any certainty but provided the client implementation of RADIUS is sound AND the authentication protocol is one that ACS supports, eg PAP, CHAP, MSCHAP, LEAP, EAP (PEAP/FAST/TLS/GTC/MSCHAP) then should be fine.
-
CS-MARS user authentication using Cisco ACS
Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad.Hi,
I would like CS-MARS (Web Interface) user authenticaiton to be done by Cisco ACS Server. Please let me know, either it is possible or not? And if possible then reply how to configure it.
Thanks and Regards,
Ahmed Shahzad. -
RSA SecurID and Cisco ACS integration for user(s) with enable mode
I thought I had this problem figured out but I guess not.
I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
I use tacacs+ authentication for logging into the Cisco router
such as telnet and ssh. In the ACS I use "external user databases"
for authentication which proxy the request from the ACS over
to the RSA SecurID Server. I installed RSA Agents with
sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
to be "RSA_SecurID" group. In the "External user databases" and
"database configurations" I assign SecurID to this "RSA_SecurID"
group.
Everything is working fine. In the "User Setup" I can see dynamic
user test1, test2,...testn listed in there as "dynamic users". In
other words, I can telnet into the router with my two-factor
SecurID.
The problem is that if test1 wants to go into "enable" mode with
SecurID login, I have to go into "test1" user setting and select
"TACACS+Enable Password" and choose "Use external database password".
After that, test1 can go into enable mode with his/her SecurID
credential.
Well, this works fine if I have a few users. The problem is that
I have about 100 users that I need to do this. The solution is
clearly not scalable. Is there a setting from group level that
I can do this?
Any ACS "experts" want to help me out here? Thanks.That is not what I want. I want user "test1" to be able to do this:
C
Username: test1
Enter PASSCODE:
C2960>en
Enter PASSCODE:
C2960#
In other words, test1 user has to type in his/her RSA token password to get
into exec mode. After that, he/she has to use the RSA token password to
get into enable mode. Each user can get into "enable" mode with his/her
RSA token mode.
The way you descripbed, it seemed like anyone in this group can go directly
into enable mode without password. This is not what I have in mind.
Any other ideas? Thanks.
Maybe you are looking for
-
Win2000 Pro SP4. Been running FireFox for several years. Ver3.6.6 since 03/22/2011. Got a msg window in FireFox stating important security update available. ''(ADDED INFO: Checked System Requirements of update and then...)'' As usual, I clicked yes l
-
Create sysprepped VHD with SCCM 2012 R2
Hi, I am very new to SCCM in general so please bare with me. I manage a SCVMM 2012 sp1 environment and I would like to use SCCM 2012 r2 to manage, update and publish new VHD's. However I am having trouble creating a sysprep'd VHD. The task sequence s
-
How to update purchase order when creating a new condition records
Hi, We have the system configured so that whenever we update a condition record, a change pointer is generated. Then we the use of standard reports RMEBEIN4 and RMEBEIN, all open purchase order having that condition type is updated. However this on
-
Can't move items to trash.
I can't move items to my trash can on my desktop. I have to right click and click on "move to trash" then I am promted for my password before the item is trashed.
-
I've tried searching for an answer to this with no luck. Is there a way to get Smart Objects to work on a different disc besides your Startup on a Mac? I'd like to set up a stand-alone SSD to handle all Smart Object operations. Currently, I'm getting