Wireless Access

Reply
Occasional Contributor I
Posts: 7
Registered: ‎05-03-2012

Port 8088

So our entire network just had a security scan, and port 8088 came back as open, and a "high" vulnerability.  Looking through our config, it appears that 8088 is used for captive portal, for traffic that users are web-proxying:

 

ip access-list session captiveportal

  user any svc-http-proxy1  dst-nat 8088 

  user any svc-http-proxy2  dst-nat 8088 

  user any svc-http-proxy3  dst-nat 8088 

 

netservice svc-http-proxy1 tcp 3128

netservice svc-http-proxy2 tcp 8080

netservice svc-http-proxy3 tcp 8888

 

It seems like web proxying would be a fairly rare use case... is there a reason it's included by default for captive portal?  Anything I should worry about when I turn her off?

 

Also, even if I remove all config bits with 8088 referenced, 8088 is still going to be open.. any idea how to turn it off? Just create an ACL and apply it to a all interfaces?

MVP
Posts: 562
Registered: ‎11-28-2011

Re: Port 8088

You're right, in that it's there to redirect your web login/captive portal users using common proxy ports to the login page (on the controller). It's there by default to give flexibility. You can take out those rules (make sure you leave in the HTTP/HTTPS redirects), the consequence is user devices with proxy ports set won't be redirected (and will get stuck).

 

I don't consider it a security risk, as you'll note from the rules, it destination NAT's it to the controller (which is secure in itself.

 

If you take the rules out of the ACL, that type of traffic will be dropped. So you've nothing to worry about on that front.

Kudos appreciated, but I'm not hunting! (ACMX 104)
Occasional Contributor I
Posts: 7
Registered: ‎05-03-2012

Re: Port 8088

Perfect.  Thanks for your help!

Guru Elite
Posts: 21,584
Registered: ‎03-29-2007

Re: Port 8088


The.racking.monkey wrote:

You're right, in that it's there to redirect your web login/captive portal users using common proxy ports to the login page (on the controller). It's there by default to give flexibility. You can take out those rules (make sure you leave in the HTTP/HTTPS redirects), the consequence is user devices with proxy ports set won't be redirected (and will get stuck).

 

I don't consider it a security risk, as you'll note from the rules, it destination NAT's it to the controller (which is secure in itself.

 

If you take the rules out of the ACL, that type of traffic will be dropped. So you've nothing to worry about on that front.


The rules in that ACL only apply to clients that are attached to a captive portal WLAN or an untrusted wired port to redirect the traffic to port 8081.  Removing the rules does NOT prevent the controller from answering on that port.

 

Please have the security people detail why that port is an issue.  Quite a few security scans just scan for ports and do not detail what the real problem is.

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: