1. It is better to sign-up/log-in before you post your question (or reply to an existing thread), instead of posting as a guest.
    This will allow you to easily look up the Q&A sequence anytime, anywhere, with just one mouse click. Learn more...

    You can log in with your Facebook, Twitter, or Google+ accounts, or create a KVMGalore HelpCenter user-name/password.
    Dismiss Notice

LCD Console CL5708IN/CL5716IN technical questions

Discussion in 'KVM' started by DeanF, Aug 18, 2022.

  1. DeanF

    DeanF Guest

    Hello,

    I have a few technical questions about the capabilities of these IP enabled KVM devices:

    1) Can these devices have an internal PKI TLS certificate applied to them ? The manual documents using OpenSSL to create a self-signed certificate so it seems like it is possible, but I'd like to confirm since it would be a hard requirement.

    2) I have an issue with an existing device that is flagged by Qualys scanning for lack of HTTPS security headers. Has anyone scanned these devices with an enterprise VA scanner to see if these devices are compliant ?
     
  2. KVMGalore Expert

    KVMGalore Expert Staff Member

    Hello DeanF,

    Thank you for reaching out on our HelpCenter.

    PKI is just an overall term for certificate architecture. E.g., OpenSSL generated certs make a PKI.
    Do you have specific requirements for key generation?
    Would you use OpenSSL or another method?
    What key size?

    Please advise.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  3. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN USA would need the specific concerns and report provided to them so that ATEN HQ in Taiwan can analyze it and properly address any questions.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  4. DeanF

    DeanF Guest

    In a perfect world, I would like the web UI to allow me to create the CSR so that I can take that to the PKI for signing and then import the signed file back in along with the certificate chain for the PKI to be recognized as legitimate.

    It is possible to create the certificate in OpenSSH and submit it to be signed, but that is a lot more manual effort to place a signed TLS certificate.
     
  5. DeanF

    DeanF Guest

    For the headers we are having issues related to Qualys QID 11827 HTTP Security Header Not Detected. Our existing solution pops this alert and the vendor will not make changes needed to resolve it.
     
  6. KVMGalore Expert

    KVMGalore Expert Staff Member

    What vendor are you referring to?

    Please advise.
    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  7. KVMGalore Expert

    KVMGalore Expert Staff Member

    There is a Certificate Signing Request option within the CL5708IN/16IN (see attached). You do have to access it through the web interface.
    OpenSSL steps are simply provided if someone wants to do it all themselves.

    Hope this helps!
    We welcome your questions - please come back and ask us anything, anytime. You may also give us a call at 1-800-636-3434 for further clarifications on this thread.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     

    Attached Files:

  8. KVMGalore Expert

    KVMGalore Expert Staff Member

    2nd request: What vendor are you referring to?

    Please advise.

    Important note: To continue this discussion - please respond via KVMGalore HelpCenter thread, NOT via e-mail.
     
  9. DeanF

    DeanF Guest

    I fail to see why this question can't be answered without my providing who the current vendor is that cannot comply with the vulnerability scan? Since apparently it cannot the current vendor is Vertiv.
     
  10. KVMGalore Expert

    KVMGalore Expert Staff Member

    From your statement, it was not clear whether your existing device was a CL5708IN/CL5716IN, or a different ATEN device, or a different-brand device, and so clarification was needed.
     
  11. KVMGalore Expert

    KVMGalore Expert Staff Member

    ATEN USA has passed that along to ATEN HQ and Taiwan, and will have to wait and see what they say.

    Generally speaking of ATEN products, if there were specific issues that came up with their hardware, for example, tripping certain security alerts like that, it is very likely they would work towards resolving them either via firmware or some other workaround.
     
  12. DeanF

    DeanF Guest

    Thanks ! Existing vendor has had this since 2020 and hasn't addressed it, which is why we are looking for anew product :) Awaiting the response from HQ
     
  13. DeanF

    DeanF Guest

    Any updates from HQ on this question?
     
  14. DeanF

    DeanF Guest

    Does one of these systems exist that is directly connected to the Internet where we could run a scan ourselves to validate the header issue directly? If one is on the Internet we could answer the question. Alternately is there a way to get one temporarily for a POC so we could establish the answer ourselves?
     
  15. KVMGalore Expert

    KVMGalore Expert Staff Member

    Yes!
    "Regarding network CVEs, CL5708i/CL5716i can implement multiple encryption protocols and certificates which can be enforced for every connection (as in, even if the IP is discoverable, rogue access is refused). There are no available ports for telnet access either (regular GUI access is required).
    We would have to confirm internally if the presence (or lack) of HTTP headers would be recognized by the same vulnerability scanner on CL5708i."
     
  16. KVMGalore Expert

    KVMGalore Expert Staff Member

    We can arrange with ATEN to set up a demo but it will take a couple days to get and prep the unit.
    Please advise if you'd like us to facilitate this.
     
  17. DeanF

    DeanF Guest

    Yes, a demo would let us run a scan to confirm the vulnerability data. How would I arrange that
     
  18. KVMGalore Expert

    KVMGalore Expert Staff Member

    To set up a demo, ATEN needs to be able to report this to their IT team, as a scan is sure to set off alerts.

    Could you provide an IP range ATEN should expect the scan to come from and the date and time?
     
  19. DeanF

    DeanF Guest

    Happy to provide it to if we can move the conversation to direct e-mail ? Don't want to be posting the IP information in a public message forum.
     
  20. KVMGalore Expert

    KVMGalore Expert Staff Member

    Sure!

    Please use email address: info@kvmgalore.com
    Subject: CL5708IN/CL5716IN technical questions
    Please provide:
    a) an IP range ATEN should expect the scan to come from
    b) date and time in which you are planning on performing the scan
     

Share This Page