Wireless Access

Reply
Regular Contributor I
Posts: 173
Registered: ‎10-22-2010

Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "Session Idle Timeout"

 

 

The user-guide document advises not to enable the following global firewall options unless instructed by an Aruba representative. 

 

Prohibit RST Replay Attack

 

Disable FTP Server

 

Session Idle Timeout

 

Please advise, how these options impacts the network. 

 

Regards,

Guru Elite
Posts: 8,325
Registered: ‎09-08-2010

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

TAC or your Aruba SE might be able to answer this question  as the answer depends on your environment.


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
MVP
Posts: 562
Registered: ‎11-28-2011

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

Agree with the other point, in terms of you needing an official response. However...

 

I could guess what the other 2 do, but the one I have played with historically is the session idle timeout.

 

In the old days before we had beter ways of doing things, I used to adapt this setting coupled with DOS prevention in the VAP (which ignores disconnects) to help things like iPhones on captive portals be a bit more practical (i.e. no constant re-logins to the CP). BUT, I want to stress you shouldn't fool around with this without understanding the consequences. Whilst I tested this just fine and tweaked the timers, you can overload a controller by doing it wrong!

 

Kudos appreciated, but I'm not hunting! (ACMX 104)
Regular Contributor I
Posts: 173
Registered: ‎10-22-2010

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

Thank you for repies. I have already raised a ticket with the TAC, waiting to see the TAC suggestion. 

 

I experimented the Disable ftp server. Normally i am able to ftp to the controller ip-address from the cmd prompt in my PC. but i am not able to login with any username & password.

 

But, with the "Disable ftp server" tick marked, I am not able to ftp at all, to the controller, it doesnt give a prompt to login. 

 

i was checking on some latest version 5.0 code. I believed the AP would not able to download image by ftp from the controller with the "Disable ftp server" turned on. On the AP, at apboot prompt, did "clear os" "purge" and "factory_reset" But the AP was able to download the image by ftp. I was watching the show datapath session table <AP IP>, saw the port 21, but i didnt see the ftp-data port 20 there. 

 

still not clear about the purpose of "Disable ftp server" in the global firewall of the controller. 

 

Guru Elite
Posts: 20,799
Registered: ‎03-29-2007

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

[ Edited ]

Disabling FTP server stops access points from upgrading via FTP.  They will do it via TFTP instead.  This takes much longer than FTP, so this option should not be enabled in practice.

 

Prohibit RST Replay attack forces the controller firewall to ensure that there is a two way conversation before sending traffic to hosts.  This can delay traffic processing.

 

Some options have a purpose but only to a few people and they should not be changed, at all.  These are two of those options.  



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 173
Registered: ‎10-22-2010

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

Thank you CJ, Because  "Prohibit RST Replay Attack" is turned on. a client sending too many TCP RST, will the client get blacklist.

 

References:

http://en.wikipedia.org/wiki/TCP_reset_attack

http://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent

Guru Elite
Posts: 20,799
Registered: ‎03-29-2007

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S


yogenpartha wrote:

Thank you CJ, Because  "Prohibit RST Replay Attack" is turned on. a client sending too many TCP RST, will the client get blacklist.

 

References:

http://en.wikipedia.org/wiki/TCP_reset_attack

http://stackoverflow.com/questions/251243/what-causes-a-tcp-ip-reset-rst-flag-to-be-sent


No, just turn it off, though.  There is no reason to have it on.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Regular Contributor I
Posts: 173
Registered: ‎10-22-2010

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

As per internal security audit, customer wants to enable these settings and wants to understand how its going to impact their normal users. 

 

Guru Elite
Posts: 20,799
Registered: ‎03-29-2007

Re: Suggestions on "Prohibit RST Replay Attack" "Disable FTP server" and "S

The security audit team should contact support to advise them on this.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: