Wireless Access

Hi again,

We have a RAP implementation that I am subjecting to PEN testing in the coming weeks, and I would like to know any gotcha's and suggestions around locking down AOS. In particular, anything surrounding;

1. Local ENET interfaces on the RAP. E.g. locking down enet0 for uplink, preventing uplink using any other ENET...

2. MGMT interface. E.g. SSH/HTTPS only?

3. LAN interface. E.g. In/Out/Session...

Any help would be appreciated!

Is this an internal or external penetration test?

Hi,

It will be tested from both ends, internally on net and using a RAP-2WG at a SOHO location.

Kind regards, thanks for the quick reply!

Make sure that any WLAN is broadcasting is using WPA2-AES.  Make sure that the wired ports are using wired 802.1x

Those are the two best things that you can do.

Thanks for the reply;

So by default, the ap-uplink-acl that is applied to enet0 through the ap system profile is secure? Dot1X on enet1 is in the project plan, so that is good.

All WLANS are WPA2-AES all ready.

In terms of protecting the MGMT interface to allow only SSH/HTTPS, should I apply just a session acl to meet this goal and make the port untrusted?

You can apply a session ACL, but do not mark the port untrusted.  Making it untrusted will make all of your wired traffic show up in the user table.

Appendix B of the ArubaOS 6.1 userguide has a chapter named "External Firewall Configuration" which details which ports for ap to controller, controller to management systems and management user to controller need to be open to function correctly.  That is the best place for this information.