Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 2 subscribers
  • Views 3445 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

PCI scan is getting a different SSL

JaredSkinner

So Riddle me this Batman...

We have been running some PCI scans for one of our websites and one of the warning alerts that they are giving us is that the SSL cert that we are using is self signed. We are running the scan on the client's domain "domain.com" which has a wildcard cert that was purchased through Digicert.com and is absolutely signed and verified. That SSL is just fine, but when the scan runs it also is somehow getting information for our beta site "domain.ourcompany.com". Our beta site is using an self signed SSL because we have had some issues with routing subdomains using our companies wild card SSL. But for the live production site there is no reference at all to the beta site and yet for some reason the firewall is providing information for the self signed certificate.

For the production entry it has it's own virtual host that is connected to it's own "real webserver" in the UTM config using it's own CA signed SSL.

The beta site also using it's own virtual host and real webserver, and has it's own seperate entry and it's own SSL. As far as I can tell everything is completely separated out and there shouldn't be any way the scan can pickup the beta site's information and yet somehow it is.

Does anyone have any ideas on what might be happening?



This thread was automatically locked due to age.
Parents
  • 0

    If that Virtual Server is enabled, a PCI scan will see it unless you put it on a separate IP and "cloak" it with NAT rules.  Make a rule like 'NoNAT : {group of testers' IPs}-> {HTTP/S}->{separate IP}' and then follow it with a rule like 'DNAT : Any->{HTTP/S}->{separate IP} : to {non-existent IP}'.   That way, only the IPs of the beta site testers will get through to the Virtual Server and all other accesses are effectively dropped.  See #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    If that Virtual Server is enabled, a PCI scan will see it unless you put it on a separate IP and "cloak" it with NAT rules.  Make a rule like 'NoNAT : {group of testers' IPs}-> {HTTP/S}->{separate IP}' and then follow it with a rule like 'DNAT : Any->{HTTP/S}->{separate IP} : to {non-existent IP}'.   That way, only the IPs of the beta site testers will get through to the Virtual Server and all other accesses are effectively dropped.  See #2 in Rulz.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML