We have a small segment of our network locked down for credit card processing and we have a seperate server with McAfee ePO and VSE for just that small network segment.
Since this server is in the same VLAN as other servers which process credit card transaction, it falls within our scope for PCI DSS compliance.
Unfortunately, my scans (from Tenable Nessus) show vulnerabilities for self-signed certificates on the ports used by Apache (agent-server communications) and Tomcat (client-server communications).
ePO allows you to install a certificate and key for HTTPS communications, but apparently has no way to install 3rd party signed certificates for other communications.
This was confirmed by a call to McAfee support.
This seems like a strange oversight for a company that should be security conscious.
Has anyone else run into this?
If so, do you have any advice?