Security

Hi,

 

I've just installed a new Aruba system and have found i can DNS tunnel out of the captive portal and get web access without authenticating. Is there a way to block this?

 

thanks.

 

edit your guest-logon (or pre captive role) to  block any traffic of DNS - except of the allowed servers.

I'm tunnelling it via the allowed server to the external proxy so sadly i don't think that will help.

 

?! to the allowed server? please explain , y your guests got access to your allowed server before captive? block it.

Yes, but i assumed the clients will require DNS so it can redirect to the captive portal via its registered name?

 

Allowed server = Internal DNS server , that was a bit unclear.

 

try to use an IP address (not name) for the captive.

That will break the SSL cert though. We don't won't an untrusted site warning coming up for every guest.

 

It's a username password captive portal? or e-mail guest login? (in order not to see the cert error,u can choose to use IP ADDRESS and a normal HTTP under the l3 captive portal profile)

Its the sponsored guest registration page. 

I'm only just learning the Aruba layout , coming from a Cisco WLC background so my terminology might be a bit off..

 

https://servername/guest/guest_registration

 

It also allows you to sign in if you already have an account so not happy with turning encryption off really.

 

thanks again.

 

Are u using built-in captive portal on the controler? or r'u using Clearpass Guest loginpage?

Its via Clearpass.

 

iam using clearpass with IP address and not name...

Regarding your issue.Please Wait until someone elase in AirHeads may replay to u.

thanks.

We drill into all our users not to use anything with a certificate warning so to keep it encrypted we really need to do the name redirect.

 

albertay,

 

You would need a DNS server that specifically detects and blocks this threat.

Does such a product exist?

Infoblox says they can do it here:  https://community.infoblox.com/blogs/2014/02/13/dns-tunneling-infoblox-advanced-dns-protection-and-dns-firewall-can-help-stop-data

 

This is not an endorsement for Infoblox, but they say they can stop it.

 

 

EDIT:  The only thing you can do on the Aruba side is to allow traffic to your own DNS servers, and then blacklist any user who sends DNS to any other server...

 

Quite an expensive solution for the problem sadly.

Its quite an annoying little hole in the whole setup.

 

Your firewall may have DNS analysis built in. The Cisco-ASA line stope some forms of DNS tunneling.

Our old Watchguard also did. Check with your firewall team.

Your firewall may have DNS analysis built in. The Cisco-ASA line stope some forms of DNS tunneling.

Our old Watchguard also did. Check with your firewall team.

Thanks for the response, but as stated in my original post the Watchguard does not do this (Im the firewall team). Watchguard used to support it a long time back, but for some reason removed it from their portfolio. I have this information direct from Watchguard TAC.

 

I've checked with Watchguard and they don't provide anything that will stop DNS tunneling currently. Oddly on an older release on a less powerful platform there was something that could be enabled on the CLI..

I wouldn't turn encryption off, ever, unless I really have to. When you say tunnel and get web access I don't understand, but in your AAA section in your controller configuration for your guest profile you should reference an initial role. That initial role should be configured so that you can only access the captive portal. The initial role should have your captive portal profile applied to it. The captive portal profile is configured under layer 3 authentication.

My guess is from what you have said, is that you have allowed http access everywhere on your initial role (like your unauthenticated role). Hence the http redirection is not happening to the captive portal. If your ACL allows http access your captive portal redirection will not work.

Only allow http access to your captive portal! Keep DNS so you can do your cert validation!

I might be taking nonsense though!

F5 DNS is also able to detect and block DNS tunneling. perhaps you got something else around (some example mentioned before) that can help.

 

it is a hole, but i do wonder how many people will actually use it.