Client Requested SpanVA SSH Access to perform Internal Penetration Testing
Resolution
Overview:
Clients do not get SpanVA SSH access except in joint collaboration with CASB Support or Audit Engineering
The read-only account has limited access, cannot sudo to root , cannot see root directories, files, etc.
Client's SpanVA root access is highly restricted, protected..
CASB Audit Engineering can only gain root access to a client's SpanVA through a joint webex session with Client, Support, and Audit Engineering collaboration.
SSH access:
Normally an SSH session with Client is only needed if Audit Engineering assistance is required to analyze some deeper issue.
SpanVA Compliance:
Internally - Broadcom Audit Engineering Dev adds bug fixes, feature enhancements, patches, tests, and does QA on the master SpanVA image, with new updates published periodically.
When a new version of SpanVA OS / Apps passes QA, becomes GA, it gets published to CloudSOC tenants in the field.
If auto-update option is enabled by client in SpanVA GUI - it receives update and installs. If not enabled client must click on "Install Update" to get the latest updates
If manually clicking to install updates observe the warning to NOT manually reboot SpanVA during upgrade or shortly thereafter or irreparable OS corruption may result
Adjusting Security Settings:
Clients have access to manage security settings such as Ciphers, protocols, etc via SpanVA GUI "Settings" tab.
After configuring security settings client may need to reboot SpanVA for some config changes to fully take effect, such as after disabling FTP.
Verifying Compliance:
After adjusting SpanVA security through GUI / Settings Tab - many Clients use a network scanner with Centos linux definitions to perform a vulnerability scan.
If critical open vulnerabilities are found, Client should check if there are any other Settings inside SpanVA to disable and then rescan.
Mitigation:
SpanVAs are normally located on one of Client's internal protected sub-networks.
The SpanAV's IP should be allowed to egress/ingress as required in SpanVA Tech Doc, not open to the entire internet.
Following suggestions in this KCS may help Client reduce severity and/or mitigate any open vulnerabilities found
If client finds a Critical vulnerability that cannot be remediated Client can submit a new CASB Support case for that specific vulnerability and include scan report