Fortinet – Common PCI/Security audit issues

This is an ongoing blog, and one that I will update often will things that come up in security audits.

Companies are always getting external audits to make sure they comply with policies and have no outstanding vulnerabilities with their systems. This is great, but sometime the Fortigate will get pinged on SSL/SSH encryption level issues. The following blog is a few helpful commands that can get the Fortinet to pass inspection by disabling the lowest or least secure SSL and SSH protocols. Also below I have put in excerpts from a few scans.

Issue 1:

tls-1

Error: TLS Version 1 Protocol Detection – So the above was an issue with TLS Version 1.0 being enabled on port 443 (My SSL VPN port). So, we need to remove TLS 1.0 from the accepted protocols on the VPN.

The commands to do that are:

config vpn ssl settings
    set tlsv1-1 disable
end

The disables TLSv1 from the SSL VPN

Next issue

  • Vulnerability Details 116818

This host is susceptible to the SSL version 3 POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. By using SSL version 3 and CBC Mode ciphers this host can allow an attacker to expose encrypted data in a connection between the client and server. Impact: Over time, an attacker can steal sensitive information between the client and the server using this man in the middle attack. Hosts may default to a more secure protocol (TLS 1.2, for example), but a network attacker could potentially trigger a reconnection causing the browser to retry older protocols (SSL version 3).

The above error basically says that SSL Version 3 was enabled on SSL VPN port. Just like before we will disable that

config vpn ssl settings
    set sslv3 disable
set tlsv1-0 disable
set tlsv1-1 disable
end

This turns of SSLV3 from the SSL VPN supported protocols.

This Entry will be updated as I find more from going through audits.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: