Wireless Access

last person joined: 13 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Port 8088

This thread has been viewed 7 times

  • 1.  Port 8088

    Posted May 03, 2012 02:01 PM

    So our entire network just had a security scan, and port 8088 came back as open, and a "high" vulnerability.  Looking through our config, it appears that 8088 is used for captive portal, for traffic that users are web-proxying:

     

    ip access-list session captiveportal

      user any svc-http-proxy1  dst-nat 8088 

      user any svc-http-proxy2  dst-nat 8088 

      user any svc-http-proxy3  dst-nat 8088 

     

    netservice svc-http-proxy1 tcp 3128

    netservice svc-http-proxy2 tcp 8080

    netservice svc-http-proxy3 tcp 8888

     

    It seems like web proxying would be a fairly rare use case... is there a reason it's included by default for captive portal?  Anything I should worry about when I turn her off?

     

    Also, even if I remove all config bits with 8088 referenced, 8088 is still going to be open.. any idea how to turn it off? Just create an ACL and apply it to a all interfaces?



  • 2.  RE: Port 8088

    Posted May 03, 2012 02:14 PM

    You're right, in that it's there to redirect your web login/captive portal users using common proxy ports to the login page (on the controller). It's there by default to give flexibility. You can take out those rules (make sure you leave in the HTTP/HTTPS redirects), the consequence is user devices with proxy ports set won't be redirected (and will get stuck).

     

    I don't consider it a security risk, as you'll note from the rules, it destination NAT's it to the controller (which is secure in itself.

     

    If you take the rules out of the ACL, that type of traffic will be dropped. So you've nothing to worry about on that front.



  • 3.  RE: Port 8088

    Posted May 03, 2012 05:57 PM

    Perfect.  Thanks for your help!



  • 4.  RE: Port 8088

    EMPLOYEE
    Posted May 04, 2012 06:26 AM
    @The.racking.monkey wrote:

    You're right, in that it's there to redirect your web login/captive portal users using common proxy ports to the login page (on the controller). It's there by default to give flexibility. You can take out those rules (make sure you leave in the HTTP/HTTPS redirects), the consequence is user devices with proxy ports set won't be redirected (and will get stuck).

     

    I don't consider it a security risk, as you'll note from the rules, it destination NAT's it to the controller (which is secure in itself.

     

    If you take the rules out of the ACL, that type of traffic will be dropped. So you've nothing to worry about on that front.

    The rules in that ACL only apply to clients that are attached to a captive portal WLAN or an untrusted wired port to redirect the traffic to port 8081.  Removing the rules does NOT prevent the controller from answering on that port.

     

    Please have the security people detail why that port is an issue.  Quite a few security scans just scan for ports and do not detail what the real problem is.