内部IP披露应用程序网关 [英] Internal IP Disclosure Application Gateway
问题描述
我在Azure的App Service上设置了一个网站,我正在努力获得PCI兼容性,我已经运行了试图这样做的一系列问题。第一个问题与无法在多租户应用服务上禁用TLS 1.0有关。在
点,我的选项如下:
- 将App Service从多租户环境迁移到App Service Environment ......继承每月约1200美元的额外费用。这显然使您能够配置TLS设置,因为您有专用资源。这个
实际上并不是一个选项,因为成本超过了这里的好处,至少在我的情况下如此。 - 将App Service转换为Cloud Service ...失去了一些主要的好处应用服务选项为我们提供了易于部署以及其他一些方面。这也是一个艰难的销售,因为转换和重新测试
网站所花费的时间来验证所有功能是否正常工作。 - 设置应用程序网关坐在App Service前面,在应用程序网关上配置TLS设置。
如果不明显,我最终设置了应用程序网关,但是在此过程中遇到了一些问题。一旦我设置网关以禁用TLS 1.0,我就重新进行了PCI扫描,这导致了一些不同的故障。 3DES
密码可用,以及内部IP披露问题失败了。我能够重新配置网关的SSL设置,以允许除3DES密码之外的所有密码。在更新之后我重新进行了测试并且密码失败了,但是
我无法找到解决内部IP披露问题的方法。
我目前在网关上设置了两个侦听器,一个在端口80上,另一个在443上。端口80上的侦听器上设置了重定向规则,以重定向到443上的站点(我使用了MS提供的命令)做这个)。当扫描使用HTTP / 1.0扫描到站点时,IP Disclosure在端口80上出现
。通过研究到目前为止,我发现的所有解决方案都在Web服务器级别(App Service级别)。但是,由于Application Gateway级别的重定向规则,Web服务器
永远不会被命中。我已尝试在网关上实施防火墙功能,希望它可以防止此漏洞,但PCI扫描仍然失败并出现同样的问题。我还查看了与配置
网关相关的所有PowerShell命令,但找不到与此问题相关的任何内容。
有没有一种配置Application Gateway以阻止HTTP / 1.0协议发出的请求的方法?如果没有,是否有另一种方法可以配置Application Gateway来阻止此漏洞?
b
另外,还有其他人在使用App时遇到PCI合规性问题服务平台?如果是这样,你怎么能克服这些问题?
谢谢,
Brandon
关于PCI合规性和TLS 1.0支持。需要在2018年6月底之前删除对TLS 1.0的依赖性和支持。
在此之前,只要不推荐使用SSLV3并且还支持TLS 1.2,我们就可以支持TLS 1.0。两者都是App Service。
关于问题的第二部分,此步骤用于绕过TLS 1.0,但在扫描
期间遇到其他问题。在不再支持TLS 1.0之前,我们谨通知您,我们正在努力将其删除,直到我们达到2018年6月的日期为止。
我建议你参考下面的内容解决类似查询的线程。
此外,你可能想查看博客文章
如何在Azure应用服务上禁用TLS 1.0 如果你之前没有检查过,看看是否有帮助。
免责声明:此响应包含对第三方万维网站点的引用。微软提供
这些信息是为了方便您。微软不控制这些网站,也没有测试任何在这些网站上找到的软件或信息;因此,Microsoft不能对任何
软件或其中发现的信息的质量,安全性或适用性做出任何陈述。使用互联网上的任何软件都存在固有的危险,并且Microsoft提醒您在从互联网上检索任何软件之前确保您完全理解风险。
< span style ="margin:0px;行高:107%; FONT-FAMILY:"宋体",无衬线;字体大小:10PT"> ------------------------------------------- -------------------------------------------------- -
点击帮助您的帖子上的"标记为答案"和"投票为有用",这对其他社区成员有益。
Hi,
I have a web site set up on an App Service in Azure that I am working on getting PCI Compliant, and I have run into a slew of issues trying to do so. The first of the issues had to do with the inability to disable TLS 1.0 on a multi-tenant app service. At that
point, my options were the following:
- Migrate the App Service from the multi-tenant environment into an App Service Environment...inheriting an additional cost of around $1200/month. This apparently gives you the ability to configure the TLS settings since you have dedicated resources. This is not really an options as the cost outweighs the benefit here, at least for my case.
- Convert the App Service into a Cloud Service...losing some of the key benefits that the App Service option gives us in terms of ease of deployment as well as some others. This is a tough sell also because of the time spent converting and re-testing the site to verify all functionality is working correctly.
- Setup an Application Gateway to sit in front of the App Service, and configure the TLS settings on the Application Gateway.
If it isn't obvious, I ended up setting up the Application Gateway, but have run into some more issues along the way. Once I had the Gateway setup to disable TLS 1.0, I reran the PCI scan which resulted in some different failures. It failed for the 3DES
ciphers being available, and the Internal IP Disclosure issue. I was able to reconfigure the Gateway's SSL settings to allow all of the ciphers with the exception of the 3DES ciphers. I reran the test after that update and the cipher failures are gone, but
I can't figure out a way to resolve the Internal IP Disclosure issue.
I currently have two listeners set up on the Gateway, one on port 80 and one on 443. The listener on port 80 has a redirect rule set up on it to redirect to the site on 443 (I used the commands provided by MS to do this). The IP Disclosure failure is coming
in on port 80 when the scan hit the site using HTTP/1.0. Through researching this thus far, all of the solutions I have found are on the web server level (App Service level). However, because of the redirect rule at the Application Gateway level, the web server
is never being hit. I have tried implementing the Firewall feature on the Gateway in hopes that it would protect against this vulnerability, but the PCI scan still failed with the same issue. I also looked into all of the PowerShell commands related to configuring
the Gateway, but couldn't find anything that is relevant to this issue.
Is there a way to configure the Application Gateway to block requests being made by the HTTP/1.0 protocol? If not, is there another way to configure the Application Gateway to block this vulnerability?
Also, has anyone else run into PCI Compliance issues such as this while using the App Service platform? If so, how were you able to overcome these issues?
Thanks,
Brandon
Regarding the PCI compliance and TLS 1.0 support. The dependencies and support for TLS 1.0 need to be removed by the end of June 2018. Until then we can support TLS 1.0 as long as SSLV3 has been deprecated and TLS 1.2 is also supported. Both of which App Service does.
Regarding the second part of the question, this step is being used to get around TLS 1.0 but you are encountering other issues during the scan. Until TLS 1.0 is no longer supported, we would like to inform you that we are taking efforts towards its removal until we hit the June, 2018 date if not before.
I would suggest you refer the below threads which addresses similar query.
Also, you may want to check the blog post How to disable TLS 1.0 on an Azure App Service incase if you haven’t checked earlier and see if that helps.
Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.
-----------------------------------------------------------------------------------------------
Do click on "Mark as Answer" and "Vote as Helpful" on the post that helps you, this can be beneficial to other community members.
这篇关于内部IP披露应用程序网关的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
