Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
966
Views
15
Helpful
4
Replies

Securing WLC from external attacks

Yea9632
Level 1
Level 1

‎07-25-2019 05:14 AM - edited ‎07-05-2021 10:45 AM

Hello,

I'm deploying a new WLC which will use a public IP address (behinde a NAT & port forwarding) to register remote APs over the internet... the only ports that will be open are 443 ( for management purpose), 5246 & 5247 for CAPWAP flow... my question is : How can I secure the access to that WLC from external attacks in those 3 ports.... is there any options available in the WLC to avoid such problems, or everything security related should be done at the firewall level ?

 

Thank you in advance

Labels:
0 Helpful
4 Replies 4

patoberli
VIP Alumni
VIP Alumni

‎07-25-2019 07:04 AM

As a first step do it at the firewall level.
Secondly, make sure you are always keeping the WLC software up to date in case of security issues.
Thirdly, you can create ACLs on the WLC to only allow connections from certain IP addresses.
0 Helpful

Flavio Miranda
VIP
VIP

‎08-01-2019 12:49 PM

Hi

 Are you using public IP address on the WLC but NAT and port forwarding ?  Does not make sense to me. If you are using public IP address then you dont need NAT. If you are using NAT then your WLC is not exposed on the Internet cause something must be in front of it.

 Considering you are really using public IP address and your WLC will be open on the internet, you can use ACL on the WLC but keep in mind that your WLC will be exposed on the Internet. You can suffer DDoS attacks and brutal force attacks.

 Some action you can take: 

Create  WLAN with ID greater then 16. They will not be advertised on the default AP group by default.

 Use AP auth list to avoid someone on the Internet to join an AP on your network and use you network without your permission.

 Lastly, avoid this kind of scenario on all cost.

 

-If I helped you somehow, please, rate it as useful.-

Yea9632
Level 1
Level 1
In response to Flavio Miranda

‎08-22-2019 01:18 AM - edited ‎08-22-2019 02:06 AM

Thank you for your reply,
indeed, the WLC is behind a FW and NAT is enabled on it, the public IP is added to the WLC tho, since the NAT used is the NAT-T.
the important thing for me is the WLC, Things that I will add to the list you provided : - APs Mac address filtering, so no Rogue APs can join
- Console AP Passwords, so none can login into remote APs ( who knows) and reveal the Public IP address of the WLC ( technically the IP of the outside firewall)
- Use of the Flexconnect mode (Data plane routed using the nearest end)
- use of the DTLS so the Control plane exchanges between the WLC and the remote AP will be encrypted (Needs a license i'm aware about this)

What do you think ?

0 Helpful

ammahend
VIP
VIP
In response to Yea9632

‎08-22-2019 03:42 AM

Some additional checks you can do as well

show switchconfig - make sure relevant checks are enabled, like strong password username check etc. 

Check for control plane policing

make sure https cipher is set to high.

access via dynamic interface is disabled 

Leverage cpu acl, might want to block all internet traffic except one coming from your AP, since you are using flex connect.

Use certificates for admin, webauth and IPSec communication. 

-hope this helps-
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card