- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to secure a GMS/Analyzer Web Server Service against weak ciphers and other vulnerabilities
03/26/2020 
1,047 People found this article helpful
42,807 Views
Description
If your GMS/Analyzer server is publicly accessible, securing the web server service against weak ciphers and/or other vulnerabilities may be needed.
This article describes some basic steps to identify issues along with methods of mitigating such issues.
Resolution
Step 1:
Identify if any vulnerabilities due to weak ciphers or other known vulnernabilities exist currently on your GMS/Analyzer server.
The following utility can scan your web service by providing the server URL:
https://sslanalyzer.comodoca.com/
This screen shot shows the types of vulnerabilities that may be seen:
Analysis:
Step 2:
Modify server.xml file to limit the ciphers/protocols/features that may be causing issues.
a) In Windows - navigate to the following directory:
[installDir]:\GMSVP\Tomcat\conf\
b) Right-click the server.xml file and choose Edit.
c) Find the following connectors (two exist in Windows server.xml; Connector port may differ on your server):
<Connector port="443" address="0.0.0.0" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
<Connector port="443" address="[::]" minProcessors="5" redirectPort="" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLCertificateFile="C:\GMSVP/conf/gmsvpserver.crt" SSLCertificateKeyFile="C:\GMSVP/conf/gmsvpserver.key" SSLPassword="value" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" />
d) Add the following values following the - secure="true" - value in the connector config:
SSLDisableCompression="true" SSLProtocol="TLSv1" SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH"
Example of change:
Description of changes:
SSLDisableCompression="true" (Disables Compression, which is vulnerable to CRIME attack)
SSLProtocol="TLSv1" (Disables SSLv3 which is vulnerable to Poodle)
SSLCipherSuite="ALL:!aNULL:!ADH:!eNULL:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:AES:AESGCM:!RC4:RSA:+HIGH:+MEDIUM:-LOW:!SSLv2:@STRENGTH" (Disables weak ciphers)
e) Save chages to the server.xml file and restart the GMS/Analyzer server
How to Test:
Re-scan using the SSL Analyzer utility you prefer and verify changes:
Additional info:
When GMS is installed on Windows, you may see a Vulnerability listed for - Secure Renegotiation (Client-initiated).
This may not be fixed by applying changes in the article.
Tomcat does not see this issue as a specific vulnerability and no specific fix is listed.
For further info, refer to -
http://tomcat.apache.org/security-7.html#Not_a_vulnerability_in_Tomcat
Related Articles
- Can we make changes to a firewall config acquired on NSM directly through the firewall?
- Perform Restart of firewall from NSM.
- Requirement is to push cfs settings from one firewall to a group of Firewalls in NSM.
YES
NO