I am having some difficulty with my SA 540 fleet in regards to PCI Scans in relationship to the SSL VPN.
We have four of these deployed; one in the main office and three in satellite offices and we employ site-to-site VPN so the satellites can connect to the main office LAN. Naturally, PCI DSS 3.1 has come into effect since my last successful quarterly scan and I seem to be failing on the routers due to, I THINK, the SSL certificate in the routers being 1024-bit encryption when the new standard is 2048-bit. Some responses from Trustwave regarding my failed scans:
Insecure Certificate Signature Algorithm in Use
SSL Certificate Public Key Too Small
SSL/TLS Weak Encryption Algorithms
All of the failed messages state that the "server" is using a hash algorithm of SHA (PCI requires MD5), signature algorithm of RSA and signature key length of 1024-bit.
I have put disputes in because the actual cutoff date for the 1024-bit encryption is next June but I am trying to take a proactive stance and I am not a Cisco expert by any means. That being said I think the question(s) would be:
Can I obtain an updated certificate that has MD5 and 2048-bit encryption without additional cost or is this something I have to pay for through Cisco and if so, how do I obtain this? Or do I generate a new CSR and then go to a Cisco approved CA? Or, is this security appliance not able to be brought up to the latest PCI DSS standards?
For anyone else who may be having this issue, I had to turn OFF Remote Management which was fine by me because that only affects the Quick VPN and SSL VPN whereas I am using Site-to-Site VPN. So the issue really was that the RMOM being turned on also opens the SSLv3 and TLSv1.0 that are in collision with the latest PCI DSS3.0 standards.
QuestionDear All,I'm currently looking for firmware version 22.214.171.124 for Linksys SPA400 Analog Telephony Gateway. Unfortunately, my device was bricked and I was able to recover it using a recovery tool and recovery firmware version 126.96.36.199 but can't find v...
Change in ASD Automatic Software Download Feature
Dec 13th, 2019
Cisco RV160, 260, 340, and 345 Series Routers
Due to an API change in Cisco’s software download platform the Automatic Download Feature (ASD) on RV series routers will be temporarily ...
SFP Module Support List for RV160x and RV260x Devices
Small form-factor pluggable (SFP) ports are included on the RV160 and 260 routers to allow the use of optical SFP transceiver modules. SFP’s convert the optical signals to electrical signals. SFP’s al...
Welcome and thanks for visiting the Small Business Community Newsletter. This is our first of what we will make a monthly newsletter where you will be provided information on New products and trends, What’s ...