Security, WIDS/WIPS and Aruba ECS

Reply
MVP
Posts: 291
Registered: ‎11-04-2008

Need ideas to secure, improve guest access

We are providing wireless guest network using captive portal and local user account from the Aruba controller. The DHCP server for guest network is a pool of class C ip addresses.

Every once in a while the DHCP/DNS server was DoS attacked and stop working. Sometime the guest network is down because this DoS attack.

Because the DHCP service is open to the public, anyone can associate to the guest essid and DHCP server will offer an ip address, does anyone have any better idea how to secure/improve this wireless guest access?

Regards,

Trinh Nguyen
~Trinh Nguyen~
Boys Town
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Need ideas to secure, improve guest access

I've wondered this too, the only thing I came up with is a WPA PSK. That's very unappealing considering the size of our company and the number of sites that a PSK would have to be disseminated to on a regular basis.
Occasional Contributor II
Posts: 31
Registered: ‎06-24-2009

Need ideas to secure, improve guest access

I am out of the office and will return on Monday, July 27. If this is an emergency please call x. 860-297-2100, otherwise I will respond to your email when I return.
Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: Need ideas to secure, improve guest access

Only allow port 80 and/or 443 traffic. - this covers most all your problems

Deny inter-user bridging, inter-user traffic. - users can't communicate between each other. This prevents spoofing attacks.

Turn on DoS prevention on the SSID - blacklists clients for DoS attacks.

Protect your DHCP servers to only allow requests from clients on port 67.
Aruba Employee
Posts: 509
Registered: ‎07-03-2008

Re: Need ideas to secure, improve guest access

Point taken Greg, but what we're both concerned about is DoS attacks against the DHCP server that provides IP addresses for our guests. Since anyone can get on our guest SSIDs, and they have to get an IP address, we can't block DHCP.

Trihn was saying he's had DoS attacks were someone depleted his DHCP pool by sending many DHCP requests and taking all the addresses.
Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Huge Pool and Short Leases..

Is my idea...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 100
Registered: ‎11-07-2008

Re: Need ideas to secure, improve guest access

Ahh, I see now. I'm not sure what kind of DHCP server you're using, but if it's windows you could use perfmon to monitor the leases and write a alert/script to delete leases if the number of leases reaches a certain level. -Or do like Colin said and have a huge pool and very short leases.
MVP
Posts: 291
Registered: ‎11-04-2008

Re: Need ideas to secure, improve guest access

Thank you all for your responses.
I was using DHCP server from my router and DNS was sent to the ISP. (We want to keep guest completely out from our business network) This is a bad configuration, because when the IP addresses from DHCP server was depleted and DoS was still going, DHCP server was still getting DHCP request, so it shutdown the guest network.
For the captive portal to function, both DNS and DHCP services must work before authentication; so DNS server can also be attacked the same way as DHCP server.
My solution (not a perfect one yet, but it helps): setup a dedicate DHCP and DNS server, so when the services are DoS attacked, the guest network is still working. Also as Greg suggestion, configure server to send alert script when the DHCP pool deplete.
Any better solutions any one?

Trinh Nguyen
~Trinh Nguyen~
Boys Town
Search Airheads
Showing results for 
Search instead for 
Did you mean: