Explanation of Sophos Endpoint Security and Control exceptions required for PCI compliance

  • Article ID: 113240
  • Rating:
  • 8 customers rated this article 3.8 out of 6
  • Updated: 11 Nov 2015

Endpoint Security and Data Protection provides a full-protection suite of products to establish PCI compliance, including:

  • Endpoint Security and Control, which provides anti-malware, firewall and data loss prevention features
  • Sophos SafeGuard Disk Encryption, which provides data encryption

Pursuant to PCI DSS Regulations sections 1.1.5 and 2.2.2, the following information clarifies the Windows firewall port exceptions used by Endpoint Security and Control and establishes the high level of security of the Sophos Remote Management System (RMS) communications that are sent through these ports. The following information should be used to justify the port exceptions and security features used by the RMS system.

Endpoint Security and Control requires communication through the Windows firewall ports 8192 and 8194 to allow networked computers to be monitored and managed via the central management application, Enterprise Console. This management increases overall network security, as it allows network administrators to monitor malware, firewall and data control events, and other features from a central location.

The Remote Management System (RMS) uses a proprietary communication language to report its status to Enterprise Console. The system is comprised of an agent and client router, which are located on each client computer and a message router and management service, which are located on the management server. More information about the individual components and their significant files and services can be found in Remote Management System: components and significant files.

The security features of the Remote Management System are described below:

  • RMS uses the TLS v1/SSLv3 cryptographic platform.

  • The Certification Manager (CM) in the Remote Management System (RMS) uses a self-signed certificate which is valid for 20 years from installation. The certificate uses a MD5 hashing algorithm which may be detected as a weak hashing algorithm by software which scans the SSL ports in use by RMS. The CM will be updated in the next release (5.2.2) to use SHA.

  • The Sophos Remote Management System uses SSL as an outer layer to the multi-layer transport of management data. Within this multi-layer system: 
  • The layer used to connect the Sophos Agent to the Sophos Message Router internally on the client uses 512-bit key exchanges (RSA) based on pre-shared keys (PSK). 

    • New installations of Remote Management System (RMS) version 3.4.1 as first released with Sophos Anti-virus 10.0.8 uses a 2048-bit key for this communication.

      For installations that have been upgraded from earlier versions of RMS to 3.4.1, the originally obtained (512-bit) certificate will be used.  In this scenario, to update the Sophos Agent certificate to a 2048-bit key we recommend you re-protect the client in order for the Sophos Agent to obtain a new certificate or upgrade to RMS 4 when made available.

    • Starting with RMS version 4, the Agent will schedule a replacement for this certificate (up to 5 days after install) so no manual intervention is required. This version of RMS is now installed on computers running Sophos Update Manager.
  • The layer used to connect the client Router to the Management Service over the network uses 2048-bit key exchanges (RSA) based on pre-shared keys. The PSK for the management service is handed out-of-bands by our update agent (verified by MD5, SHA1, and RIPE160).

  • These internal layers use an out-of-band verification, so they aren't dependant on SSL for security. This provides a strong client-centric encryption that would take a considerably long time to break.  

  • For non Windows implementations of RMS, e.g. Unix, audits may also find that weak ciphers are in use on the SSL ports used by the management software, e.g DES-CBC-SHA.  These will be changed in a future upgrade of RMS on these platforms.
  • In addition to this, unlike other encrypted protocols such as HTTPS, the Sophos Remote Management System does not use standard data structures for its logon authentication. While a port and protocol scan may discover the availability of the lower SSL standards and may report this as a potential vulnerability to Man-in-the-Middle attacks, the proprietary data structures used by Sophos, in addition to the high-level of encryption and verification used, would make these sorts of attacks highly unsuccessful.

If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent