Wireless Access

Reply
Contributor I
Posts: 43
Registered: ‎06-19-2014

Disable SSH/WebUI on outside interface

We have noticed brute force attacks on the outside interfaces on our controllers. I want to disable all management access on the outside interface (SSH, Telnet, WebUI, please fill in any I missed). The public IPs are assigned on a VLAN on the controller so there is no NAT or firewall between our controllers and the internet. From the forum I see that an ACL has to be applied. We use our controllers to terminate RAPs so I want to make sure my ACL below is correct and will not interrupt communication. Per the VRD "Firewall Ports

RAPs connect to the controller on UDP port 4500 for establishing the IPsec connection. So this port should be opened on all the firewalls leading up to the controllers in the DMZ." The allow all statement at the bottom should allow this traffic.

 

ip access-list session Block-TermServ
Block-TermServ
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-ssh deny Low 4
2 any any svc-telnet deny Low 4
3 any any svc-http deny Low 4
4 any any svc-https deny Low 4
5 any any any permit Low 4

Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Disable SSH/WebUI on outside interface

The controller GUI uses TCP 4343, so you can remove the two http and https policies and add one for that port. 

 

Otherwise, looks correct.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 43
Registered: ‎06-19-2014

Re: Disable SSH/WebUI on outside interface

Like this...

ip access-list session Block-TermServ
Block-TermServ
--------------
Priority Source Destination Service Action TimeRange Log Expired Queue TOS 8021P Blacklist Mirror DisScan ClassifyMedia IPv4/6
-------- ------ ----------- ------- ------ --------- --- ------- ----- --- ----- --------- ------ ------- ------------- ------
1 any any svc-ssh deny Low 4
2 any any svc-telnet deny Low 4
3 any any tcp 4343 deny Low 4
4 any any any permit Low 4

As always, thanks Tim.


________________________________
The material in this transmission contains confidential information
intended for the addressee. If you are not the addressee, any disclosure
or use of this information by you is strictly prohibited. If you have
received this transmission in error, please delete it and destroy
all copies. Notify AIM Specialty Health at 847 564-8500.
Thank You.
Guru Elite
Posts: 8,456
Registered: ‎09-08-2010

Re: Disable SSH/WebUI on outside interface

Looks good!


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: