Explanation of Sophos Endpoint Security and Control exceptions required for PCI compliance

  • Article ID: 113240
  • Rating:
  • 13 customers rated this article 1.0 out of 6
  • Updated: 17 May 2016

Endpoint Security and Data Protection provides a full-protection suite of products to establish PCI compliance, including:

  • Endpoint Security and Control, which provides anti-malware, firewall and data loss prevention features
  • Sophos SafeGuard Disk Encryption, which provides data encryption

Pursuant to PCI DSS Regulations sections 1.1.5 and 2.2.2, the following information clarifies the Windows firewall port exceptions used by Endpoint Security and Control and establishes the high level of security of the Sophos Remote Management System (RMS) communications that are sent through these ports. The following information should be used to justify the port exceptions and security features used by the RMS system.

Endpoint Security and Control requires communication through the Windows firewall ports 8192 and 8194 to allow networked computers to be monitored and managed via the central management application, Enterprise Console. This management increases overall network security, as it allows network administrators to monitor malware, firewall and data control events, and other features from a central location.

The Remote Management System (RMS) uses a proprietary protocol to report status to and take instructions from Enterprise Console. The system is comprised of a Management Agent and message Router, which are located on each client computer and a message Router, Management Service and Certification Manager, which are located on the management server. More information about the individual components and their significant files and services can be found in Remote Management System: components and significant files.

The security features of RMS are described below:

  • The RMS proprietary protocol uses TLS v1 for lower-level cryptographic communications between a management server and its client computers and between components within a computer.

  • The Certification Manager in RMS uses a self-signed root certificate which is valid for 20 years from installation. Clean installations of SEC 5.2.2 and above will create a certificate with a SHA-1 hash. Legacy installations may have a certificate with an MD5 hash which may be detected as a weak hashing algorithm by software which scans the SSL ports in use by RMS.

  • All RMS components and the Management Service use 2048-bit keys. The components’ certificates use a SHA-1 hash (legacy RMS 3 certificates are automatically updated by RMS 4). Authentication of component roles is based on pre-shared keys (created when SEC is installed). The pre-shared keys are provided to RMS installations out-of-bands by the Sophos update agent (verified by MD5, SHA1, and RIPE160).

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent