Client Requested SpanVA SSH Access to perform Internal Penetration Testing

Overview:

• Clients do not get SpanVA SSH access except in joint collaboration with CASB Support or Audit Engineering
• The read-only account has limited access, cannot sudo to root , cannot see root directories, files, etc.
• Client's SpanVA root access is highly restricted, protected..
• CASB Audit Engineering can only gain root access to a client's SpanVA through a joint webex session with Client, Support, and Audit Engineering collaboration.

SSH access:

• Normally an SSH session with Client is only needed if  Audit Engineering assistance is required to analyze some deeper issue.

SpanVA Compliance:

• Internally - Broadcom Audit Engineering Dev adds bug fixes, feature enhancements, patches, tests, and does QA on the master SpanVA image, with new updates published periodically. 
• When a new version of SpanVA OS / Apps passes QA, becomes GA, it gets published to CloudSOC tenants in the field.
• If auto-update option is enabled by client in SpanVA GUI - it receives update and installs. If not enabled client must click on "Install Update" to get the latest updates
• If manually clicking to install updates observe the warning to NOT manually reboot SpanVA  during upgrade or shortly thereafter or irreparable OS corruption may result

Adjusting Security Settings:

• Clients have access to manage security settings such as Ciphers, protocols, etc via SpanVA GUI "Settings" tab. 
• After configuring security settings client may need to reboot SpanVA for some config changes to fully take effect, such as after disabling FTP.

Verifying Compliance:

• After adjusting SpanVA security through GUI / Settings Tab - many Clients use a network scanner with Centos linux definitions to perform a vulnerability scan.
• If critical open vulnerabilities are found, Client should check if there are any other Settings inside SpanVA to disable and then rescan.

Mitigation:

• SpanVAs are normally located on one of Client's internal protected sub-networks.
• The SpanAV's IP should be allowed to egress/ingress as required in SpanVA Tech Doc, not open to the entire internet.
• Following suggestions in this KCS may help Client reduce severity and/or mitigate any open vulnerabilities found
• If client finds a Critical vulnerability that cannot be remediated Client can submit a new CASB Support case for that specific vulnerability and include scan report