We have a client that failed the PCI DDS scan from Trustwave. The router installed is a Balance 20 running firmware version 7.1.2. Please advise.
Below are the failures that Trustwave came back with.
TLSv1.0 Supported High 10.00 Fail
This vulnerability is not recognized in the National Vulnerability Database.
TLS v1.0 violates PCI DSS and is considered an automatic
failing condition.
SSL Certificate Chain Not Trusted (External Scan)
Medium 6.80 Fail
This vulnerability is not recognized in the National Vulnerability Database.
SSL Certificate Common Name Does Not Validate (External Scan)
Medium 6.80 Fail
This vulnerability is not recognized in the National Vulnerability Database.
SSL Certificate is Not Trusted (External Scan)
Medium 6.80 Fail
This vulnerability is not recognized in the National Vulnerability Database.
SSLv2, SSLv3 and TLS v1.0 Medium 4.30 Fail
Vulnerable to CBC Attacks via chosen-plaintext (BEAST), CVE-2011-3389
For the SSL certs failing you can fix this by applying proper public trusted certificates to the appropriate web front ends if they are publicly accessible. As with anything its about risk, if the https front end is not accessible publicly you could argue the risk is minimised but you can apply SSL certs to resolve this.
On the TLS1.0 issue you can disable PEPVPN backwards compatibility which will force the use of TLS 1.2 and disable 1.0.
We do not have any web servers, so I was assuming that the cert fail was coming from the PepVPN that we have to a remote site. I did make the change to the backwards compatibility, which is nicely hidden by the way not sure why Peplink did that.
We are running another scan today to see if it passes.
No problem, the cert failure will likely be the appliance HTTPS interface itself, assuming they are either testing from inside the LAN or your appliance can be accessed on the WAN interfaces via HTTPS as well.
You can purchase and apply a public cert to the appliance to resolve this issue but as mentioned if its LAN side only in most instances this is deemed a low risk.