I'm deploying a new WLC which will use a public IP address (behinde a NAT & port forwarding) to register remote APs over the internet... the only ports that will be open are 443 ( for management purpose), 5246 & 5247 for CAPWAP flow... my question is : How can I secure the access to that WLC from external attacks in those 3 ports.... is there any options available in the WLC to avoid such problems, or everything security related should be done at the firewall level ?
Thank you in advance
Are you using public IP address on the WLC but NAT and port forwarding ? Does not make sense to me. If you are using public IP address then you dont need NAT. If you are using NAT then your WLC is not exposed on the Internet cause something must be in front of it.
Considering you are really using public IP address and your WLC will be open on the internet, you can use ACL on the WLC but keep in mind that your WLC will be exposed on the Internet. You can suffer DDoS attacks and brutal force attacks.
Some action you can take:
Create WLAN with ID greater then 16. They will not be advertised on the default AP group by default.
Use AP auth list to avoid someone on the Internet to join an AP on your network and use you network without your permission.
Lastly, avoid this kind of scenario on all cost.
-If I helped you somehow, please, rate it as useful.-
Thank you for your reply,
indeed, the WLC is behind a FW and NAT is enabled on it, the public IP is added to the WLC tho, since the NAT used is the NAT-T.
the important thing for me is the WLC, Things that I will add to the list you provided : - APs Mac address filtering, so no Rogue APs can join
- Console AP Passwords, so none can login into remote APs ( who knows) and reveal the Public IP address of the WLC ( technically the IP of the outside firewall)
- Use of the Flexconnect mode (Data plane routed using the nearest end)
- use of the DTLS so the Control plane exchanges between the WLC and the remote AP will be encrypted (Needs a license i'm aware about this)
What do you think ?
Some additional checks you can do as well
show switchconfig - make sure relevant checks are enabled, like strong password username check etc.
Check for control plane policing
make sure https cipher is set to high.
access via dynamic interface is disabled
Leverage cpu acl, might want to block all internet traffic except one coming from your AP, since you are using flex connect.
Use certificates for admin, webauth and IPSec communication.