Wireless Access

last person joined: 5 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

Disable FTP on Aruba Controller

This thread has been viewed 22 times
  • 1.  Disable FTP on Aruba Controller

    Posted 16 days ago
    Hello Guys,

    In fact we have Darktrace installed on our network, and it blocked FTP connections on our controller. Why does Aruba Controller have FTP enabled and connection to it ?

    For auditing security measures, either it should be configured as SFTP or it should be disabled. What are the impacts if same is disabled on the controller ?

    Does access points also have FTP enabled ?

    Thanks

    ------------------------------
    Keshav Boodhun
    ------------------------------


  • 2.  RE: Disable FTP on Aruba Controller

    Posted 16 days ago

    FTP is used for by the APs to download software from the controllers.

    If you have CPSEC enabled, it isn't used. 

    *If you have brand new, never used 100 or 200 series APs, they need FTP. They don't come with a default OS on them, so they use FTP to get that initial OS Image, then will fall back to IPSEC when CSPEC is enabled



    ------------------------------
    Chris Wickline | ACCA |
    ------------------------------



  • 3.  RE: Disable FTP on Aruba Controller

    Posted 15 days ago
    The Aruba Controller uses FTP for software downloads to the AP.  Please see more in the ArubaOS  Hardening Guide here:  https://higherlogicdownload.s3-external-1.amazonaws.com/HPE/d9518fcc-d8f1-440b-8f5d-68522d3be364_file.pdf?AWSAccessKeyId=AKIAVRDO7IEREB57R7MT&Expires=1633695993&Signature=0giKJw6SvoJgNZRaV%2FgcMFHdT0I%3D  (not sure how long this link will be available)


    ------------------------------
    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 4.  RE: Disable FTP on Aruba Controller

    Posted 15 days ago
    I would not be so confident about that statement, from personal experience.

    As added interest, the FTP server used has some known vulnerabilities (at least in v8.6 possibly later), hence we went through this same cycle.

    Not just FTP is exposed to users, all the management protocols are open to end users by default.

    The easiest solution is to use PEF to block users from SSH/HTTPS/FTP to the controller addresses, however that doesn't protect the controllers from wired attack.  There are various OFFICIAL controller hardening documents and articles, which say the same as the post above about various ports which are open, i.e. this is not used if CPSEC is in operation...  These guides all seem to use firewall cp as that protects the control plane, which makes sense. Since then TAC have said both that users should not change firewall cp and that firewall cp is fine to use.  

    We not only followed the articles, but also had our proposed actions verified with Aruba TAC before we started,  the result was that even with CPSEC in use, it dropped all our APs on our production system.  We have had a ticket open for four months with Aruba who are trying to get our controllers back to a state somewhere similar to their proper configuration before we can even try again to harden them. 

    If I don't sound very impressed, you are correct.  It seems Aruba are shipping software with known vulnerabilities and no documented, reliable way to harden them against attack while to make things worse, the TAC are a bit hazy how it all works and the software does not behave consistently even if the same configuration commands are executed against multiple controllers..

    Go ahead, but work in a maintenance window if you can, backup your configs, test everything and have active support with Aruba so at least you have someone to aks for help.

    ------------------------------
    David Rickard
    ------------------------------