Requirement:To Limit SSH access to controller interfaces.
SSH access to an Aruba controller requires valid credentials which includes username and password. However an attacker can run a script to enter multiple SSH requests with changing username / password pair. To prevent this, we can limit SSH access to the controller from a few subnets / hosts.
Solution:
We can use Service ACL also known as firewall-cp for this. Default configuration for this is given below.
#show firewall-cp
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Permit/Deny hits contract
---------- --------- ----------- -------- ---------- -------- ----------- ---- --------
ipv4 any 17 1900 1900 Permit 0
ipv4 any 17 5999 5999 Permit 0
With Service ACL , we can put restrictions on the traffic hitting the controller. These ACLs will allow / prevent access to all the controller IP interfaces.
Configuration:
Here, we will restrict the SSH access to the controller to a host with an ip address 10.1.1.100
(config) #firewall cp
(config-fw-cp) #ipv4 permit host 10.1.1.100 proto ssh
(config-fw-cp) #ipv4 deny any proto ssh
We can see the service ACL after the config:
(Aruba3600) (config-fw-cp) #show firewall-cp
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Permit/Deny hits contract
---------- --------- ----------- -------- ---------- -------- ----------- ---- --------
ipv4 any 17 1900 1900 Permit 0
ipv4 any 17 5999 5999 Permit 0
ipv4 10.1.1.100 255.255.255.255 6 22 22 Permit 0
ipv4 any 6 22 22 Deny 0
Verification
1. When we try to SSH to the controller from any other IP , the service ACL will block it. Below we initiate a SSH session from 10.1.1.247 which is dropped:
(config-fw-cp) #show datapath session table 10.1.1.247
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
10.1.1.247 10.1.1.5 6 36013 22 0/0 0 0 0 1/0 2 0 0 FDYC
2. We can also see the counters increase on the firewall-cp for deny ACL:
(config-fw-cp) #show firewall-cp
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Permit/Deny hits contract
---------- --------- ----------- -------- ---------- -------- ----------- ---- --------
ipv4 any 17 1900 1900 Permit 0
ipv4 any 17 5999 5999 Permit 0
ipv4 10.1.1.100 255.255.255.255 6 22 22 Permit 0
ipv4 any 6 22 22 Deny 6
3. When we initiate a session from the permitted host 10.1.1.100, we no longer see D flag:
(Aruba3600) (config-fw-cp) #show datapath session table 10.1.1.100
Source IP Destination IP Prot SPort DPort Cntr Prio ToS Age Destination TAge Packets Bytes Flags
--------------- --------------- ---- ----- ----- ----- ---- --- --- ----------- ---- --------- --------- ---------------
10.1.1.100 10.1.1.5 6 48671 22 0/0 0 0 1 1/0 9 12 1244 C
10.1.1.5 10.1.1.100 6 22 48671 0/0 0 4 1 1/0 9 10 1640
4. Also we see the counters increase in firewall-cp for permit ACL:
(config-fw-cp) #show firewall-cp
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Permit/Deny hits contract
---------- --------- ----------- -------- ---------- -------- ----------- ---- --------
ipv4 any 17 1900 1900 Permit 0
ipv4 any 17 5999 5999 Permit 0
ipv4 10.1.1.100 255.255.255.255 6 22 22 Permit 27
ipv4 any 6 22 22 Deny 7