We have a Checkpoint SecurePlatform R75 firewall cluster that also serves as a VPN gateway for Remote Access users who use Checkpoint's Endpoint Security client to connect to the network. This requires SSL connectivity to the VPN gateway for the intial setup of the the IPsec tunnel each time a user needs to connect. Following a successful SSL session, the client sets up an IPSec tunnel with the gateway in which user authentication is done by a pin code and a OTP generate by FOB keys (authentication is performed against a RADIUS server).
The VPN gateway has a certificate generated from it's own internal CA which it presents to the clients in the SSL session. This is where the PCI scan is failing with the following symptoms:
1. "SSL Certificate - Self-Signed Certificate"
2. "SSL Certificate - Signature Verification Failed Vulnerability"
I am thinking that this may be a false positive given that, with SSL connecivity alone, I don't think an attacker may be able to do anything. The subject would still need to be authenticated using the method described above in order to gain access to our network.
Any help on this matter would be greatly appeciated.
Thanks in advance.