cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
315
Views
0
Helpful
3
Replies
Highlighted
Beginner

Disable IP/ICMP tcp timestamp on Cisco WLC 5508

Hi Everyone,

 

Just trying to search on internet on how to disable the ip and icmp tcp timestamp on WLC 5508. 

 

Any suggestions as I am not sure if the command "no ip tcp timestamp" will work.

 

Thank you.

 

Regards,

Michelle

3 REPLIES 3
Highlighted
Hall of Fame Master

I don’t think you can do this on any wireless systems. Why do you want to have this on the wireless?
-Scott
*** Please rate helpful posts ***
Highlighted

Really? Because based on vulnerability report from our security advice to disable this on WLC. 

Thank you for your response.

 

 

Highlighted

TCP timestamps are not in and of themselves a vulnerability - they're actually a feature designed to improve TCP performance on high speed networks. There's plenty of discussion on this to be found but the main security concern is that on some older systems especially, the timestamps can be used to guess the system uptime and therefore when last patches which required a reboot were installed (to deduce unpatched vulnerabilities on the system). I haven't found any evidence that Cisco WLCs are affected by that particular concern and Cisco PSIRT team have concluded that TCP timestamps are *NOT* a security vulnerability on https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt92023 and this 'bug' is being treated as an enhancement request = low priority, only 'fixed' if customer convinces the Cisco business unit that there is a strong business case for fixing (that's on IOS-XE not WLC). Some more discussions: https://kc.mcafee.com/corporate/index?page=content&id=KB78776&locale=en_US and https://stackoverflow.com/questions/7880383/what-benefit-is-conferred-by-tcp-timestamp
You need to have a conversation with the security team blindly asking you to do this. I've found from experience that pentest teams tend to just run a generic tool and automatically report the results without even understanding them sometimes. I've had a pentest report say that public WiFi was insecure because it was on an open (unencrypted) SSID - completely missing the point that that was the actual service being sold (and various other similar things), so you have to apply some intelligence to these pentest results :)

Back to your original question: "how to disable the ip and icmp tcp timestamp": tcp and icmp are 2 different protocols so I guess your actual question may have been intended to be "how to disable icmp and tcp timestamps".
Akamai has a nice answer here: https://community.akamai.com/customers/s/article/TCP-ICMP-Timestamp?language=en_US and the same logic applies to the WLC.

Content for Community-Ad