Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Vulnerability scanners

This thread has been viewed 4 times

  • 1.  Vulnerability scanners

    Posted Mar 10, 2016 07:06 PM

    Hello Everyone!

    We have a client i which they did a vulnerability test and the results were that 

     

    23/tcp-telnet

    Unencrypted Telnet Server

    0/tcp-general

    IP Forwarding Enabled

      

    53/udp-dns

    DNS Server Cache Snooping Remote Information Disclosure

    I do understand that the port 23 telnet is on by default as far i can read on Aruba hardening guide but it will close the connection

    IS there any way to disable it? Iknow there is a checkmark to enable  but as far i remenber is not on... guess when you enable it it wont close the connections??  Anyways i woulld like to know how to close it completelly

     

    For the DNS Server Cache Snooping Remote Information Disclosure

    As i read on the hardening guide it says 

    "ArubaOS includes a “DNS responder” that listens on UDP port 53. Any query sent to this responder will result in a response that contains the controller’s IP address. Vulnerability scanners may report that this service responds to recursive queries, that it allows cache snooping, or that it enables traffic amplification attacks. It is important to note that this service is not an actual DNS server, and these warnings may be safely ignored."

    So i guess i dont have to worry about that...

     

    Now IP Forwarding Enabled what do this actually mean? not sure what action to take here

    Any ideas?

    This is just found in the Guest SSIDS.. the other had no issue(the corporate SSID)

     

    Cheers

    Carlos



  • 2.  RE: Vulnerability scanners

    Posted Mar 10, 2016 07:23 PM

    Telnet can be enabled under Management > General.  I setup a Telnet packet capture and see a SYN from my laptop and no response (SYN/ACK) from the controller.  If that's the case, I'm not sure I understand how your vulnerability scanner would show the port is open.

     

    As you stated, shouldn't have to worry about the DNS responder.  It's needed for captive portal on your guest network.

     

    Regarding IP forwarding, do you have a default gateway on the controller for guest traffic?



  • 3.  RE: Vulnerability scanners

    Posted Mar 10, 2016 08:00 PM

    Well the captive portal is a vlan that just exist in the controller so its the default gateway of the Guest vlan...  Im natting everything with the ip addresss oft he controller for guest.

     

    Hey Collin thats wherei got the information i pasted there..  But still doesnt asnwer the ip forwarding one :(

     

    Cheers

    Carlos



  • 4.  RE: Vulnerability scanners

    EMPLOYEE
    Posted Mar 10, 2016 08:13 PM

    Any port that is on a scanner, can be blocked using an ACL if the controller is configured correctly.

     

    I will paste in a comment from one of our security guys - "I think it would be odd if the controller did NOT do IP forwarding... That rule is designed to detect hosts that are forwarding IP. It is not designed for networking boxes, which are supposed to do IP forwarding."

     

    In other words, any automated scan requires understanding of the tests, as well as the configuration of the device being tested to see if there is a genuine issue, a configuration issue or something that needs to be explained further.



     



  • 5.  RE: Vulnerability scanners

    Posted Mar 11, 2016 12:34 AM

    Thank you for the asnwer guys really helpful!

     

    Cheers

    Carlos



  • 6.  RE: Vulnerability scanners

    Posted Mar 11, 2016 12:43 AM
    NP, Carlos.

    I've often had to fight security because out of the box vulnerability scans
    aren't always accurate or represent real threats. In this case, you can
    argue that none of the findings above are concerns.


  • 7.  RE: Vulnerability scanners

    Posted Mar 10, 2016 08:13 PM
    The scanner has detected that your guest SSID can route traffic. Just as you said, the controller is DG for guest. See nmaps description of this:
    https://nmap.org/nsedoc/scripts/ip-forwarding.html


  • 8.  RE: Vulnerability scanners

    EMPLOYEE
    Posted Mar 10, 2016 07:56 PM
    @NightShade1 wrote:

    Hello Everyone!

    We have a client i which they did a vulnerability test and the results were that 

     

    23/tcp-telnet

    Unencrypted Telnet Server

    0/tcp-general

    IP Forwarding Enabled
       

    53/udp-dns

    DNS Server Cache Snooping Remote Information Disclosure

    I do understand that the port 23 telnet is on by default as far i can read on Aruba hardening guide but it will close the connection

    IS there any way to disable it? Iknow there is a checkmark to enable  but as far i remenber is not on... guess when you enable it it wont close the connections??  Anyways i woulld like to know how to close it completelly

     

    For the DNS Server Cache Snooping Remote Information Disclosure

    As i read on the hardening guide it says 

    "ArubaOS includes a “DNS responder” that listens on UDP port 53. Any query sent to this responder will result in a response that contains the controller’s IP address. Vulnerability scanners may report that this service responds to recursive queries, that it allows cache snooping, or that it enables traffic amplification attacks. It is important to note that this service is not an actual DNS server, and these warnings may be safely ignored."

    So i guess i dont have to worry about that...

     

    Now IP Forwarding Enabled what do this actually mean? not sure what action to take here

    Any ideas?

    This is just found in the Guest SSIDS.. the other had no issue(the corporate SSID)

     

    Cheers

    Carlos

    Please see open ports, explanations and how to block them here:  http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/2/ArubaOS_Hardening_Guide_10302015.pdf