Wireless Access

We are in the process of setting up a guest network and I am running nmap scans across it to ensure we are blocking traffic to other networks and certain known ports that are highly susceptible to vulnerabilities (SMB, RDP, etc...).
In doing so I can see there are several open ports to the IP address assigned to the controller on that subnet.

Here are the open ports:
17/tcp
21/tcp
22/tcp
80/tcp
443/tcp
1723/tcp
4343/tcp
8080/tcp
8081/tcp
8082/tcp
8088/tcp

Should I deny all access to the controller on the Guest network?

Should I selectively block some ports/services and not others?

Should some of the services listed above be turned off in the controller's configuration? What commands do it?

------------------------------
Thanks,
Job
------------------------------

Please refer to the ArubaOS Hardening Guide. Chapter 5 (Typical Vulnerability Scan Results) has the list of open ports that you report and what to do with it.

In general, you should block any port that you don't need to minimize the attack surface, and you can do that with user-roles for your guest users.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.
------------------------------

Original Message:
Sent: Dec 01, 2020 02:34 PM
From: Job Cacka
Subject: Guest Network - nmap show open ports to controller

We are in the process of setting up a guest network and I am running nmap scans across it to ensure we are blocking traffic to other networks and certain known ports that are highly susceptible to vulnerabilities (SMB, RDP, etc...).
In doing so I can see there are several open ports to the IP address assigned to the controller on that subnet.

Here are the open ports:
17/tcp
21/tcp
22/tcp
80/tcp
443/tcp
1723/tcp
4343/tcp
8080/tcp
8081/tcp
8082/tcp
8088/tcp

Should I deny all access to the controller on the Guest network?

Should I selectively block some ports/services and not others?

Should some of the services listed above be turned off in the controller's configuration? What commands do it?

------------------------------
Thanks,
Job
------------------------------

Thanks for the link Herman. That has the information I was looking for.

------------------------------
Job Cacka
------------------------------

Original Message:
Sent: Dec 02, 2020 04:13 AM
From: Herman Robers
Subject: Guest Network - nmap show open ports to controller

Please refer to the ArubaOS Hardening Guide. Chapter 5 (Typical Vulnerability Scan Results) has the list of open ports that you report and what to do with it.

In general, you should block any port that you don't need to minimize the attack surface, and you can do that with user-roles for your guest users.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Dec 01, 2020 02:34 PM
From: Job Cacka
Subject: Guest Network - nmap show open ports to controller

We are in the process of setting up a guest network and I am running nmap scans across it to ensure we are blocking traffic to other networks and certain known ports that are highly susceptible to vulnerabilities (SMB, RDP, etc...).
In doing so I can see there are several open ports to the IP address assigned to the controller on that subnet.

Here are the open ports:
17/tcp
21/tcp
22/tcp
80/tcp
443/tcp
1723/tcp
4343/tcp
8080/tcp
8081/tcp
8082/tcp
8088/tcp

Should I deny all access to the controller on the Guest network?

Should I selectively block some ports/services and not others?

Should some of the services listed above be turned off in the controller's configuration? What commands do it?

------------------------------
Thanks,
Job
------------------------------

After reviewing the above document I added a security rule to the User Role associated with the guest network. It simply denies any traffic to the controller IP address on that Guest SSID/subnet.

Clients are still able to go to the Web but are unable to detect open ports on the controller using nmap.

------------------------------
Thanks,
Job Cacka
------------------------------

Original Message:
Sent: Dec 02, 2020 11:00 AM
From: Job Cacka
Subject: Guest Network - nmap show open ports to controller

Thanks for the link Herman. That has the information I was looking for.

------------------------------
Job Cacka

Original Message:
Sent: Dec 02, 2020 04:13 AM
From: Herman Robers
Subject: Guest Network - nmap show open ports to controller

Please refer to the ArubaOS Hardening Guide. Chapter 5 (Typical Vulnerability Scan Results) has the list of open ports that you report and what to do with it.

In general, you should block any port that you don't need to minimize the attack surface, and you can do that with user-roles for your guest users.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC.

Original Message:
Sent: Dec 01, 2020 02:34 PM
From: Job Cacka
Subject: Guest Network - nmap show open ports to controller

We are in the process of setting up a guest network and I am running nmap scans across it to ensure we are blocking traffic to other networks and certain known ports that are highly susceptible to vulnerabilities (SMB, RDP, etc...).
In doing so I can see there are several open ports to the IP address assigned to the controller on that subnet.

Here are the open ports:
17/tcp
21/tcp
22/tcp
80/tcp
443/tcp
1723/tcp
4343/tcp
8080/tcp
8081/tcp
8082/tcp
8088/tcp

Should I deny all access to the controller on the Guest network?

Should I selectively block some ports/services and not others?

Should some of the services listed above be turned off in the controller's configuration? What commands do it?

------------------------------
Thanks,
Job
------------------------------