Saturday, July 4, 2015

SIEM Deployment - Securing HP ArcSight Web Interfaces

2014 and 2015 have been years full of discoveries on cryptographic and algorithmic vulnerabilities starting with Heartbleed following with POODLE and several others. These vulnerabilities pushed many administrators patch their webservers, disable vulnerable protocols (SSLv2, SSLv3 and even TLS1.0) and cipher suites containing weak algorithms (RC4, SHA1, MD5 and others).

ArcSight systems, working over web interfaces, are also subject to these vulnerabilities and possible attacks. Apache web server hosting Logger and Management Center interfaces should be configured to eliminate the cryptographic algorithm and protocol threats.

First of all, to know the status of webserver, we will use the sslscan application with given parameters.



From this output we can see that SSLv2 and SSLv3 protocols are already disabled but protocols such as RC4, DES and Diffie-Hellman are still accepted.

In order to force the webserver to use secure algorithms and protocols we will modify apache configuration file httpd.conf under  <LOGGER_INSTALLATION_DIRECTORY> /local/apache/conf directory, which in my own installation is /opt/arcsight/current/local/apache/conf/.

It is wise to take a backup of the httpd.conf file before making any changes.

# cp httpd.conf httpd.conf.backup

Then we should edit this file with a text editor such as nano or vi.


We should modify the line starting with SSLProtocol and SSLCipherSuite as follows and save the file.

SSLProtocol ALL -SSLv2 -SSLv3

SSLCipherSuite !RC4:!DH:!MD5:!aNULL:!eNULL:!MEDIUM:!LOW:HIGH

After this operation, so that the changes become active we should restart logger services under <LOGGER_INSTALLATION_DIRECTORY>/arcsight/logger/bin directory with ./loggerd restart command.

When we recheck with sslscan, we see that vulnerable options are no longer supported.




No comments:

Post a Comment