Network security assessment tools detect vulnerabilities in SVMs [KSV]

[Antipova Anna]

Advice and Solutions (Forum Knowledgebase) Disclaimer. Read before using materials.

Problem Description, Symptoms & Impact

Network security assessment tools detect multiple vulnerabilities in the SVMs.

Workaround & Solution

Below is a list of detected vulnerabilities and solutions or reasons why it can't be fixed.

Open ports

SVMs have ports 22 and 80 open for communication with the Deployment Wizard and providing updates to Light Agents respectively. They are hardcoded, and therefore can't be changed or closed without at least partially breaking functionality of the product.

Browsable Web Directories

SVMs use them to share updates with Light Agents, and Light Agents need to be able to check for updates. This is not a problem as there are only read-only Light Agent updates available there.

Weak SSH encryption

By default SVMs use weak ssh key exchange algorithms. To fix that without losing ability to configure the SVM via Deployment Wizard, add the following in /etc/ssh/sshd_config on SVMs:

KexAlgorithms diffie-hellman-group-exchange-sha256