Wireless Access

Reply
Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Locking down AOS and PEN Testing

Hi again,

 

We have a RAP implementation that I am subjecting to PEN testing in the coming weeks, and I would like to know any gotcha's and suggestions around locking down AOS. In particular, anything surrounding;

1. Local ENET interfaces on the RAP. E.g. locking down enet0 for uplink, preventing uplink using any other ENET...

2. MGMT interface. E.g. SSH/HTTPS only?

3. LAN interface. E.g. In/Out/Session...

 

Any help would be appreciated!

Any amount of Kudos will be greatly appreciated!!!
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Locking down AOS and PEN Testing

Is this an internal or external penetration test?

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Locking down AOS and PEN Testing

Hi,

 

It will be tested from both ends, internally on net and using a RAP-2WG at a SOHO location.

 

Kind regards, thanks for the quick reply!

Any amount of Kudos will be greatly appreciated!!!
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Locking down AOS and PEN Testing

Make sure that any WLAN is broadcasting is using WPA2-AES.  Make sure that the wired ports are using wired 802.1x

 

Those are the two best things that you can do.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 67
Registered: ‎02-24-2010

Re: Locking down AOS and PEN Testing

Thanks for the reply;

 

So by default, the ap-uplink-acl that is applied to enet0 through the ap system profile is secure? Dot1X on enet1 is in the project plan, so that is good.

 

All WLANS are WPA2-AES all ready.

 

In terms of protecting the MGMT interface to allow only SSH/HTTPS, should I apply just a session acl to meet this goal and make the port untrusted?

Any amount of Kudos will be greatly appreciated!!!
Guru Elite
Posts: 21,491
Registered: ‎03-29-2007

Re: Locking down AOS and PEN Testing

You can apply a session ACL, but do not mark the port untrusted.  Making it untrusted will make all of your wired traffic show up in the user table.

 

Appendix B of the ArubaOS 6.1 userguide has a chapter named "External Firewall Configuration" which details which ports for ap to controller, controller to management systems and management user to controller need to be open to function correctly.  That is the best place for this information.

 

 

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: