Professional Documents
Culture Documents
Version 1.0
Technical Note
Change Log
The following table lists the revisions of this document:
Copyright Information
Copyright © 2019 Hewlett Packard Enterprise Development LP.
www.arubanetworks.com
3333 Scott Blvd
Santa Clara, CA 95054
Phone: 1-800-WIFI-LAN (+800-943-4526)
Fax 408.227.4550
Contents
Contents
Change Log ........................................................................................................................................... 2
Context—Security in Aruba SD-Branch............................................................. 5
Security Layers ..................................................................................................................................... 6
Introduction—Security Testing ......................................................................... 7
Security Testing and Accreditation ...................................................................................................... 7
Vulnerability Management Process ................................................................................................ 7
Bug Bounty Program ....................................................................................................................... 7
Locking Down Services ......................................................................................8
Cryptography ........................................................................................................................................ 8
HTTPS .............................................................................................................................................. 8
SSH .................................................................................................................................................. 9
IPSec ................................................................................................................................................... 10
Diffie-Hellman .................................................................................................................................... 11
Authenticated NTP ............................................................................................................................. 11
SNMP .................................................................................................................................................. 12
External Syslog ................................................................................................................................... 13
RADIUS Secrets ................................................................................................................................... 14
Control Path Defense ......................................................................................................................... 14
Locking Down Administrative Access ............................................................. 15
Console Port and Password Recovery ................................................................................................ 15
Control Plane Protection .................................................................................................................... 16
Centralized Authentication and Authorization .................................................................................. 17
Locking Down Network Access ....................................................................... 18
WAN interface protection .................................................................................................................. 18
WAN Protect ACL .......................................................................................................................... 18
Geolocation and reputation filtering ............................................................................................ 22
LAN Interface protection .................................................................................................................... 23
User Roles and Firewall Policies.................................................................................................... 23
Disabling TLS 1.0 and 1.1 may lead to compatibility problems with older browsers when accessing the Aruba Gateway’s
local UI.
Authenticated NTP
To ensure that audit logs contain accurate timestamps, it is critical that the system clock be correct. The Network
Time Protocol (NTP) is typically used to synchronize clocks on Internet-connected devices. For a higher degree of
security, NTP updates should be authenticated, to prevent an attacker from intercepting NTP communication and
responding with false time data. To enable NTP authentication, in the Aruba Central UI, go to Gateway
Management > System > General > Clock:
Traffic destined for an IP address belonging to the Gateway itself will be subject to these rules. For example,
unicast traffic originating from an untrusted interface and destined for the Gateway’s management interface will
be rate-limited to using the default configuration above. To configure the “Monitor/police CP attacks” value, the
following configuration is used:
CP firewall policies
--------------------
IP Version Source IP Source Mask Protocol Start Port End Port Action hits contract
---------- --------- ----------- -------- ---------- -------- -------------- ---- --------
ipv4 any 6 1723 1723 Permit 545
ipv4 any 17 1701 1701 Permit 6
ipv4 any 6 23 23 Permit 523302 cpbwc-ipv4-telnet
ipv4 any 6 8084 8084 Deny 9
ipv4 any 6 3306 3306 Deny 175
ipv4 any 17 8209 8209 DenyNotSecure 0
ipv4 any 6 8211 8211 DenyNotMaster 0
ipv4 any 6 8212 8212 DenyNotMaster 2
ipv4 any 6 873 873 DenyNotSecure 961
ipv4 any 6 2300 2300 Permit 6 cpbwc-ipv4-telnet
ipv4 any 6 2323 2323 Permit 1207 cpbwc-ipv4-telnet
ipv4 any 6 8211 8211 Permit 0
ipv4 any 6 8212 8212 Permit 0
…
These default rules would be overridden by any administrator-configured rules. So, for example, while the output
above shows TCP traffic destined for port 22 (SSH) to be permitted from any source IP, an administrator may lock
this traffic down further by specifying additional rules on the Gateway Management > Security > Advanced > ACL
white list page in the Central UI. The following example demonstrates restricting of SSH traffic only to a specific
subnet:
Figure 10 - Firewall-CP
If local authentication is disabled, nobody will be able to access the Gateway’s management interface in the event the
authentication server becomes unavailable. For this reason, redundant authentication servers should always be used if
local authentication is disabled. Nevertheless, as long as the device is connected to the cloud, regaining access would be
as simple as changing the configured administrative authentication from Aruba Central.
Everything else, including all inbound traffic (for non-previously-established sessions) would be blocked.
Once the Gateway is provisioned, the configuration for your WAN ports will be whatever you configure in Aruba
Central. Nevertheless, as soon as you mark an interface as WAN, the GUI automatically applies the wan-uplink-
protect-acl to that port to at least have a basic protection. This security policy can of course be modified, although
the recommendation would be to create a new policy and apply it, instead of editing the default ACL.
Aruba recommends further tightening the firewall policies applied to WAN interfaces as much as possible.
When doing so, the following should be taken into consideration:
The policies above are only provided as reference. Different environments could require additional traffic flows to be
allowed. As an example, VRRP keepalives or routing protocol communications should be taken under consideration.
When a new session is received, the source and destination IP are fetched and table lookup is done for both the
IP addresses to get the reputation/geolocation information of these IPs. If the table lookup succeeds, then the
session is marked as classified and subjected to IP classification-based firewall policies. If the table lookup fails, IP
classification query message is sent to the control plane to have the classification for these IPs downloaded from
Webroot's Brightcloud service. Once the cloud lookup is resolved, entry is be added to the datapath table, which
is capable of caching information for as many as 1 million IPs or URLs.
• Apply the AAA profile to the VLAN (from Security > Apply Policy)
This initial setup facilitates an incremental approach to implementing granular access control policies in branch
networks. Once the initial policy is in place, and the Aruba Gateway is keeping track of all user sessions; security
can gradually be enhanced by enabling MAC/dot1X authentication for all devices (i.e., unique MAC addresses)
reaching the Gateway from an untrusted interface. Devices that fail authentication would be placed in the initial-
Using the default settings, certain IP address ranges are prevented from appearing in the user table – for example,
the IP multicast address range of 224.0.0.0. Aside from the specific “deny” entries, all other IP addresses are
permitted for wireless users. For maximum security, the validuser ACL should be modified so that ONLY IP
addresses valid for wireless clients are permitted. One way to do this is to manually specify entries that should be
permitted. For example, if all wireless clients belong in the subnet 192.168.15.0/24, the following modification to
the default ACL should be made:
Verify the output using “show ip access-list validuser” and note that the IPv4 entries are indicated by “4” and IPv6
entries are indicated by “6”. Although IPv4 and IPv6 rules appear in the same ACL, they are processed separately.
The “validuser” ACL should not be applied to an interface or role. This ACL is automatically referenced each time
a user is added to the user-table.
Another, simpler method to configure the same functionality is through the use of the “local-valid-users” feature
in the global firewall configuration. If this feature is enabled, only IP addresses within the locally-defined VLAN
interfaces address space will be permitted in the user table. As long as the Gateway has an IP interface defined in
every wireless subnet (i.e. an “interface vlan x; ip address a.b.c.d” configuration statement for each wireless
VLAN), this feature works automatically. If the Gateway does not have an IP interface in each wireless subnet, use
the manual ACL method described above.
The use of “interface vlan 1; bcmc-optimization” will also enable proxy-arp; consult the ArubaOS User Guide to
determine which feature is more appropriate to use.
Open Ports
The following table lists all ports that are used by an Aruba controller, Gateway, switch, or access point. The table
includes notes on what the port is used for, and whether it may be blocked using firewall rules.
Port Explanation Notes
Number
17/TCP Used to support Nortel Contivity VPN clients Can safely be blocked for most users. Vulnerability scanners
report this as “quote of the day” and may flag an alert for
“quote of the day traffic amplification”.
23/TCP Telnet. Used for administrative access to the ArubaOS Port is open by default, but connection attempts will be
command line. immediately closed. Telnet can be enabled through the
configuration command “telnet cli”.
Aruba does not recommend enabling Telnet. This port may
be blocked by firewall rules if Telnet is not needed.
53/UDP DNS responder. This service responds to all DNS queries Can be blocked by firewall rules if the Gateway is not
with the IP address of the Gateway. Often used when serving as DNS server for any branch devices.
DNS Cache and DNS redirect are needed in branch Vulnerability scanners often report problems with this port,
networks. such as “DNS cache snooping”. Because this port does not
connect to an actual DNS server, warnings may be safely
ignored.
DHCP server. ArubaOS is capable of providing DHCP Disabled automatically if DHCP service is not enabled.
67/UDP server functionality when configured to do so.
80/TCP HTTP. Accepts connections for both Captive Portal and
for WebUI administrative management. Redirects to May be blocked if not needed.
other ports using HTTPS.
123/UDP NTP. Can provide time synchronization for other This port may be safely blocked.
network devices.
161/UDP SNMP. Provides SNMP management access. Disabled by default – enabled when a SNMP community is
configured. Access to this port should be restricted to
authorized SNMP management systems. Aruba recommends
the use of SNMPv3.
443/TCP HTTPS. Used for captive portal authentication, WebUI WebUI will redirect to TCP/4343 unless “web- server web-
administrative management, and VIA. https-port-443” has been configured.
Captive portal will redirect to TCP/8081.
VIA clients require this port to be available in order to
perform profile download, and for SSL fallback mode.
8088/TCP HTTP/HTTPS. Used for captive portal for proxied clients. May be blocked if captive portal is not in use with clients
that require proxy.
8082/TCP Used for Single Sign-On with other Aruba infrastructure May be blocked if single sign-on is not in use.
9070-9080 ZMQ ports 9070 to 9080 are opened by OpenFlow May be blocked if OpenFlow is not being used.
Controller to be used by registered apps.
OpenSSH CVE-2016-10009 CVE-2016- These vulnerabilities were either patched in source code, or are non- applicable for
6210 CVE-2015-6564 CVE- ArubaOS due to configuration or limited use of a particular feature.
2015-6563 CVE-2015-5600 No currently supported version of ArubaOS contains these vulnerabilities.
CVE-2015-5352 CVE-2014-
1692 CVE-2014-2532 CVE-
2014-2653 CVE-2011-5000
CVE-2011-4327 CVE-2010-
5107 CVE-2010-4755 CVE-
2008-3259 CVE-2007-4752
CVE-2007-2243 CVE-2007-
2768 CVE-2004-1653
SSH CVE-2008-5161 Numerous vulnerability scanners report that the use of AES-CBC in SSH is not
secure. See http://community.arubanetworks.com/t5/Unified- Wired-Wireless-
Access/SSH-and-AES-CBC/m-p/248919 for a full explanation. Note that beginning in
ArubaOS 6.5.4.4, it is possible to disable AES-CBC.
sssd CVE-2009-2410 ArubaOS does not include this service
DNS / CVE-2008-1447 ArubaOS includes a “DNS responder” that listens on UDP port 53. Any query sent to
Nameserver this responder will result in a response that contains the Gateway’s IP address.
Vulnerability scanners may report that this service responds to recursive queries,
that it allows cache snooping, or that it enables traffic amplification attacks. It is
important to note that this service is not an actual DNS server, and these warnings
may be safely ignored.
Web server CVE-2002-0840 CVE-2012- Warnings such as the following may be reported:
0053 “Apache server mod_info is publicly available”
Error page XSS using wildcard DNS
Warnings related to PHP
Warnings related to WebGlimpse
Warnings related to phpCMS
Warnings related to WordPress
Warnings related to ComicPress
Warnings related to SodaHead