SpanVA vulnerability / compliance assessment - Recommendations
search cancel

SpanVA vulnerability / compliance assessment - Recommendations

book

Article ID: 275855

calendar_today

Updated On:

Products

CASB Gateway

Issue/Introduction

Client Requested SpanVA SSH Access to perform Internal Penetration Testing

Resolution

Overview:

  • Clients do not get SpanVA SSH access except in joint collaboration with CASB Support or Audit Engineering
  • The read-only account has limited access, cannot sudo to root , cannot see root directories, files, etc.
  • Client's SpanVA root access is highly restricted, protected..
  • CASB Audit Engineering can only gain root access to a client's SpanVA through a joint webex session with Client, Support, and Audit Engineering collaboration.

SSH access:

  • Normally an SSH session with Client is only needed if  Audit Engineering assistance is required to analyze some deeper issue.

SpanVA Compliance:

  • Internally - Broadcom Audit Engineering Dev adds bug fixes, feature enhancements, patches, tests, and does QA on the master SpanVA image, with new updates published periodically. 
  • When a new version of SpanVA OS / Apps passes QA, becomes GA, it gets published to CloudSOC tenants in the field.
  • If auto-update option is enabled by client in SpanVA GUI - it receives update and installs. If not enabled client must click on "Install Update" to get the latest updates
  • If manually clicking to install updates observe the warning to NOT manually reboot SpanVA  during upgrade or shortly thereafter or irreparable OS corruption may result

Adjusting Security Settings:

  • Clients have access to manage security settings such as Ciphers, protocols, etc via SpanVA GUI "Settings" tab. 
  • After configuring security settings client may need to reboot SpanVA for some config changes to fully take effect, such as after disabling FTP.

Verifying Compliance:

  • After adjusting SpanVA security through GUI / Settings Tab - many Clients use a network scanner with Centos linux definitions to perform a vulnerability scan.
  • If critical open vulnerabilities are found, Client should check if there are any other Settings inside SpanVA to disable and then rescan.

Mitigation:

  • SpanVAs are normally located on one of Client's internal protected sub-networks.
  • The SpanAV's IP should be allowed to egress/ingress as required in SpanVA Tech Doc, not open to the entire internet.
  • Following suggestions in this KCS may help Client reduce severity and/or mitigate any open vulnerabilities found
  • If client finds a Critical vulnerability that cannot be remediated Client can submit a new CASB Support case for that specific vulnerability and include scan report