LDAP communication is insecure-paloaltonetworks-panos

LDAP communication is insecure-paloaltonetworks-panos
0

LDAP communication is insecure-paloaltonetworks-panos

Vendor: paloaltonetworks

OS: panos

Description:
Indeni will alert if (Require SSL/TLS secured connection) is not checked.

Remediation Steps:
First, enable LDAP over SSL on the LDAP server. On Palo Alto Networks firewall, select Device => Server Profiles => LDAP, select the profile and select “Require SSL/TLS secured connection”. For more informaiton, please check this link: https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-server-profiles-ldap

How does this work?
This alert uses the Palo Alto Networks API interface to parse through LDAP profiles and alert the admin if SSL/TLS is not enabled.

Why is this important?
LDAP protocol is insecure and communication is in clear text. Firewalls should use SSL/TLS protocol to secure the communication with Ldap server and fetching the user group information.

Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Server Profiles” -> “LDAP”.

panos-secure-ldap

name: panos-secure-ldap
description: Ensure "Require SSL/TLS secured connection" is enabled
type: monitoring
monitoring_interval: 60 minutes
requires:
    vendor: paloaltonetworks
    os.name: panos
    product: firewall
comments:
    secure-ldap:
        why: |
            LDAP protocol is insecure and communication is in clear text. Firewalls should use SSL/TLS protocol to secure the communication with Ldap server and fetching the user group information.
        how: |
            This alert uses the Palo Alto Networks API interface to parse through LDAP profiles and alert the admin if SSL/TLS is not enabled.
        can-with-snmp: false
        can-with-syslog: false
steps:
-   run:
        type: HTTP
        command: /api/?type=config&action=get&xpath=/config/shared/server-profile/ldap&key=${api-key}
    parse:
        type: XML
        file: panos-secure-ldap.parser.1.xml.yaml

PanosSecureLdapRule

Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosSecureLdapRule.scala