cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2108
Views
0
Helpful
3
Replies

Disable IP/ICMP tcp timestamp on Cisco WLC 5508

michelle040414
Level 1
Level 1

Hi Everyone,

 

Just trying to search on internet on how to disable the ip and icmp tcp timestamp on WLC 5508. 

 

Any suggestions as I am not sure if the command "no ip tcp timestamp" will work.

 

Thank you.

 

Regards,

Michelle

3 Replies 3

Scott Fella
Hall of Fame
Hall of Fame
I don’t think you can do this on any wireless systems. Why do you want to have this on the wireless?
-Scott
*** Please rate helpful posts ***

Really? Because based on vulnerability report from our security advice to disable this on WLC. 

Thank you for your response.

 

 

TCP timestamps are not in and of themselves a vulnerability - they're actually a feature designed to improve TCP performance on high speed networks. There's plenty of discussion on this to be found but the main security concern is that on some older systems especially, the timestamps can be used to guess the system uptime and therefore when last patches which required a reboot were installed (to deduce unpatched vulnerabilities on the system). I haven't found any evidence that Cisco WLCs are affected by that particular concern and Cisco PSIRT team have concluded that TCP timestamps are *NOT* a security vulnerability on https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvt92023 and this 'bug' is being treated as an enhancement request = low priority, only 'fixed' if customer convinces the Cisco business unit that there is a strong business case for fixing (that's on IOS-XE not WLC). Some more discussions: https://kc.mcafee.com/corporate/index?page=content&id=KB78776&locale=en_US and https://stackoverflow.com/questions/7880383/what-benefit-is-conferred-by-tcp-timestamp
You need to have a conversation with the security team blindly asking you to do this. I've found from experience that pentest teams tend to just run a generic tool and automatically report the results without even understanding them sometimes. I've had a pentest report say that public WiFi was insecure because it was on an open (unencrypted) SSID - completely missing the point that that was the actual service being sold (and various other similar things), so you have to apply some intelligence to these pentest results :)

Back to your original question: "how to disable the ip and icmp tcp timestamp": tcp and icmp are 2 different protocols so I guess your actual question may have been intended to be "how to disable icmp and tcp timestamps".
Akamai has a nice answer here: https://community.akamai.com/customers/s/article/TCP-ICMP-Timestamp?language=en_US and the same logic applies to the WLC.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: