Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2379
Views
5
Helpful
1
Replies

Certificate vulnerability

seclakit
Level 1
Level 1

‎10-04-2021 08:15 PM

I have found several of my network devices are showing up within our vulnerability management scanner with X.509 Certificate Subject CN does not match the entity name as a vulnerability. This is more than likely a DNS issue as I do not have any network devices with DNS records. I have been told conflicting opinions and would like to know how do I find the best practices on this finding. Which one would be the most accurate process that I should follow: 

  1. It is best practice not to place DNS records on my network devices as it will make them unrecognizable on the public-facing side. Therefore, security by obscurity. 
  2. Attempt to place DNS records as this secures all devices and allows for security teams to identify and ensure that these devices are behaving as needed through the SIEM. 

 

0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-04-2021 10:36 PM

If the devices aren't using the certificates then just disable them from responding to SSL/TLS so that the scanner doesn't detect them.

If they are using the certificates, then document for purposes of the scan why they use a self-signed (of manufacturer-issued as the case may be with wireless APs in particular) certificate. Often this is by design and not a problem with respect to security.

Of course if they are using certificates for actual device administration then they should be proper ones with the CN from the certificate matching the device's FQDN in DNS.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card