Monitoring Your Network for TLS Vulnerabilities

You can monitor your network for TLS/SSL protocol vulnerabilities by using Security Scanner.

About Security Scanner

Security Scanner enables you to detect some vulnerabilities that an attacker could potentially exploit within your Aviatrix-managed VPCs/VNets.

Security Scanner does not open ports on machines whose ports you have closed by way of private firewalls. Security scans are performed only on ports that are open by your intentional security design.

Security scans report the following for user VM (not gateway VM) end instances within your Aviatrix-managed spoke VPCs/VNets:

  • If a TLS certificate has a malformed configuration.

  • If the certificate is not publicly known — it is self-signed or signed with a private root certificate.

  • If the TLS versions used for encrypted communication are outdated / insecure.

Security Scanner is run from the Aviatrix CoPilot user interface from the Topology page. See Scan for Vulnerabilities using Security Scanner.

The Security Scanner button displays only when you select individual, not grouped, user VMs in the Topology. You might need to drill down into the Topology map before the Security Scanner button displays.

You can enable Security Scanner on a per CoPilot instance basis to allow only a specific CoPilot to be able to trigger a scan.

Security Scanner only inspects TLS/SSL protocols.

Scan for Vulnerabilities using Security Scanner

This section describes how to scan for vulnerabilities using Security Scanner. For information about the overall feature, see About Security Scanner.

To scan for vulnerabilities using Security Scanner:

  1. Log in to CoPilot.

  2. From the sidebar, select Topology.

  3. In the topology map, select the user VM instance (not a gateway VM) from which you want to perform the scan.

    Note that the scan will be performed on given ports in the Aviatrix-managed VPC/VNet associated with the selected instance.

  4. In the properties pane, click the Security Scanner button.

  5. In Ports, select the port(s) you want Security Scanner to scan.

    You can specify one or multiple individual ports or a range of ports (for example, 8000:8010).

    There is no limit on the number of ports you can select.

  6. Click Run.

    A process on a Spoke gateway that is associated with the selected instance scans the port(s) you specified, inspecting TLS/SSL protocols. The results of the scan display in the right pane.

Security Scanner only inspects TLS/SSL protocols.

  1. Analyze the scan report results:

    • A scan rating: The rating reflecting the ranking of TLS services found on the encrypted connections. The TLS rankings are defined by a well-known security source that tracks vulnerable ciphers. Rankings include:

      TLS Rating Meaning Description

      A+

      Very secure

      The service follows recommended standards by providing only TLS 1.3 with strong cipher suites for the most secure sessions.

      A

      Secure

      The service is using TLS 1.2 or more recent versions with strong cipher suites which are considered secure.

      B

      Weak

      The service is using TLS 1.0 or more recent versions and/or weak cipher suites that may be supported by wider range of devices but are not recommended from a security point of view.

      C

      Insecure

      The service is using invalid certificates (self-signed, expired, or signed with a private root certificate) or relies on deprecated SSL 3 or older versions or on deprecated cipher suites that are considered insecure.

    • A list of vulnerabilities: The table lists all vulnerabilities encountered by the scan.

  2. If you want to show only vulnerabilities associated with actionable tasks, enable the Show only Vulnerabilities filter.

  3. Take action to mitigate any vulnerabilities found and run the security scan again to confirm the vulnerabilities are removed.