CRITICAL Finding with pen testing - Basic Authentication Detection
search cancel

CRITICAL Finding with pen testing - Basic Authentication Detection

book

Article ID: 274635

calendar_today

Updated On:

Products

ISG Proxy ProxySG Software - SGOS

Issue/Introduction

Pen testing team conducted a pen testing exercise on the Symantec Advance Secure gateways.

The pen testing revealed a CRITICAL finding because of the Usage of Basic Authentication.

The request is to know if it is possible to replace the <Admin> authentication with one of the following Authentication ..

  • login page with any kind of Directory (Radius, AD, …)

  • IWA-Direct

Resolution

Concerning the detection of Basic Authentication by Pen Testing, we confirm that this is a false negative, as the appliance will always accept Basic authentication, to allow login to the product interfaces. This isn't a vulnerability. This admin login can be controlled using permissions.

With the ProxySG, you can create a user as a read-only user, as a control. Refer to the Tech. Articles with the URLs below, as reference.

Create a read-only user account for the ProxySG

Also, with the products, the console logins can be integrated with RADIUS and Windows AD. For these, refer to the Tech. Articles with the URLs below.

Setup RADIUS Authentication Groups Between ProxySG And FreeRADIUS

Use policy to control Edge SWG (ProxySG) administrator access

Note that the default Admin login uses only Basic authentication to allow the entry of the username and password. This is only optional, as customer are not bound to use the default admin account, as this serves the purpose for the initial configuration of the appliance(s).