LDAP communication is insecure-paloaltonetworks-panos
Vendor: paloaltonetworks
OS: panos
Description:
Indeni will alert if (Require SSL/TLS secured connection) is not checked.
Remediation Steps:
First, enable LDAP over SSL on the LDAP server. On Palo Alto Networks firewall, select Device => Server Profiles => LDAP, select the profile and select “Require SSL/TLS secured connection”. For more informaiton, please check this link: https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/device/device-server-profiles-ldap
How does this work?
This alert uses the Palo Alto Networks API interface to parse through LDAP profiles and alert the admin if SSL/TLS is not enabled.
Why is this important?
LDAP protocol is insecure and communication is in clear text. Firewalls should use SSL/TLS protocol to secure the communication with Ldap server and fetching the user group information.
Without Indeni how would you find this?
Login to the device’s web interface and click on “Device” -> “Server Profiles” -> “LDAP”.
panos-secure-ldap
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/parsers/src/panw/panos/panos-secure-ldap/panos-secure-ldap.ind.yaml
PanosSecureLdapRule
Failed to fetch the data: https://bitbucket.org/indeni/indeni-knowledge/src/master/rules/templatebased/paloaltonetworks/PanosSecureLdapRule.scala