Wireless Access

Hi,

I have a number of 7005 controllers on a vMM using 8.6. My vulnerability scanner says it's vulnerable to QOTD scans. I wrote a policy rule at the top of the vMM tree to block TCP port 17. That should do it.

But it doesn't seem to ... the vulnerability remains. I use "localIP" destinations, that are supposed to mean "all IPs on this controller". I added a new one that uses a destination of the network range for the controllers (a /16).

What should a good rule look like to filter the QOTD (TCP & UDP port 17)? Is it OK to put at my first node (folder)? Does it need to be at the "Managed Network" level?

Thanks,

Ambi

------------------------------
Ambidexter
------------------------------

Please download the hardening guide here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us and search for "17/TCP"

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 16, 2022 04:38 PM
From: Lawrence Brandt
Subject: qotd filter for 7005 controllers with vMM?

Hi,

I have a number of 7005 controllers on a vMM using 8.6. My vulnerability scanner says it's vulnerable to QOTD scans. I wrote a policy rule at the top of the vMM tree to block TCP port 17. That should do it.

But it doesn't seem to ... the vulnerability remains. I use "localIP" destinations, that are supposed to mean "all IPs on this controller". I added a new one that uses a destination of the network range for the controllers (a /16).

What should a good rule look like to filter the QOTD (TCP & UDP port 17)? Is it OK to put at my first node (folder)? Does it need to be at the "Managed Network" level?

Thanks,

Ambi

------------------------------
Ambidexter
------------------------------

Hi,

If I get on my vMM, and go to a site's controller, and do Configuration--> Services --> Firewall --> ACL Whitelist --> add an entry -->

ipv4 any proto 6 17 17 deny no contract

I get the following error message:

        "Error: Max CP firewall filter limit (97) reached"

If I delete the current allow for tcp 17 and create a new one for the deny, will that clear the issue? And what is the issue? I have AP, PEF, and RF Protect on this vMM with proper license counts to cover this change.

Thanks,

A

------------------------------
Ambidexter
------------------------------

Original Message:
Sent: Jun 16, 2022 09:55 PM
From: Colin Joseph
Subject: qotd filter for 7005 controllers with vMM?

Please download the hardening guide here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us and search for "17/TCP"

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 16, 2022 04:38 PM
From: Lawrence Brandt
Subject: qotd filter for 7005 controllers with vMM?

Hi,

I have a number of 7005 controllers on a vMM using 8.6. My vulnerability scanner says it's vulnerable to QOTD scans. I wrote a policy rule at the top of the vMM tree to block TCP port 17. That should do it.

But it doesn't seem to ... the vulnerability remains. I use "localIP" destinations, that are supposed to mean "all IPs on this controller". I added a new one that uses a destination of the network range for the controllers (a /16).

What should a good rule look like to filter the QOTD (TCP & UDP port 17)? Is it OK to put at my first node (folder)? Does it need to be at the "Managed Network" level?

Thanks,

Ambi

------------------------------
Ambidexter
------------------------------

The idea in the hardening documentation is not to block it, it is to indicate that it triggers false positives.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card
------------------------------

Original Message:
Sent: Jun 20, 2022 01:19 PM
From: Lawrence Brandt
Subject: qotd filter for 7005 controllers with vMM?

Hi,

If I get on my vMM, and go to a site's controller, and do Configuration--> Services --> Firewall --> ACL Whitelist --> add an entry -->

ipv4 any proto 6 17 17 deny no contract

I get the following error message:

        "Error: Max CP firewall filter limit (97) reached"

If I delete the current allow for tcp 17 and create a new one for the deny, will that clear the issue? And what is the issue? I have AP, PEF, and RF Protect on this vMM with proper license counts to cover this change.

Thanks,

A

------------------------------
Ambidexter

Original Message:
Sent: Jun 16, 2022 09:55 PM
From: Colin Joseph
Subject: qotd filter for 7005 controllers with vMM?

Please download the hardening guide here:  https://support.hpe.com/hpesc/public/docDisplay?docId=a00107216en_us and search for "17/TCP"

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

HPE Design and Deploy Guides: https://community.arubanetworks.com/support/migrated-knowledge-base?attachments=&communitykey=dcc83c62-1a3a-4dd8-94dc-92968ea6fff1&pageindex=0&pagesize=12&search=&sort=most_recent&viewtype=card

Original Message:
Sent: Jun 16, 2022 04:38 PM
From: Lawrence Brandt
Subject: qotd filter for 7005 controllers with vMM?

Hi,

I have a number of 7005 controllers on a vMM using 8.6. My vulnerability scanner says it's vulnerable to QOTD scans. I wrote a policy rule at the top of the vMM tree to block TCP port 17. That should do it.

But it doesn't seem to ... the vulnerability remains. I use "localIP" destinations, that are supposed to mean "all IPs on this controller". I added a new one that uses a destination of the network range for the controllers (a /16).

What should a good rule look like to filter the QOTD (TCP & UDP port 17)? Is it OK to put at my first node (folder)? Does it need to be at the "Managed Network" level?

Thanks,

Ambi

------------------------------
Ambidexter
------------------------------