restrict mbox GUI admin access
mbox HSG has built-in web service for both admin GUI access and user captive portal access (when the portals are hosted on local HSG), and both accesses share the same set of ports (tcp/80/443). There are two potential security concerns we need to address:
By default, mbox admin GUI permits access from all sources defined in "firewall-input" rules for tcp/80/443 (if without "admin" flag")
By default, all hotspot users are automatically given access to HSG web service (tcp/80/443) so that they can access to the captive portal pages, but this by default also opens access to them for the mbox admin GUI access (if no firewall-input rules with "admin" flag"), which can be a potential security loophole.
For best practice, we should only allow certain source IP/subnets to have admin GUI access, while users having access to the captive portal pages only. The key is to use "admin" flag in the firewall-input rule when we permit tcp/80/443 for admin access. In "firewall-input", once enabled with "admin" flag, only the source within this rule can have access to mbox admin GUI access (while the same source also have portal access), all other permitted tcp/80/443 rules can only have access to hotspot portal pages only (automatically excluded from admin GUI access)
Now let's look at a few examples below. (assume hotspot vlans are in 172.16.y.0/xx networks).
Below example permits all source to have both mbox admin GUI access and portal access. Least secure config!
!
firewall-input 10 permit all tcp dport 80
!
Below example permits 10.0.0.0/8 to have both mbox admin GUI portal access , while all hotspot vlans users (from 172.16.y.0/xx) also have default admin GUI and portal accesses. (there's no admin flag in the "firewall-input" rule) - not secure too!
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8
!
Below example restricts only 10.0.0.0/8 to have both admin GUI and hotspot portal access, while hotspot vlans users (from 172.16.y.0/xx) have only portal accesses (there's a "admin" flag rule, so all others are automatically excluded from admin GUI access.) - better, not still not secure enough
!
firewall-input 10 permit all tcp dport 80 src 10.0.0.0/8 admin
!
Below example restrict only 10.10.10.2 to have mbox admin GUI access, while all other users in 10.0.0.0/8, 192.168.0.0/16, and hotspot vlans users (from 172.16.0y0/xx) have only portal accesses. - recommended!
!
firewall-input 10 permit all tcp dport 80 src 10.10.10.2 admin
firewall-input 11 permit all tcp dport 80 src 10.0.0.0/8
firewall-input 12 permit all tcp dport 80 src 192.168.0.0/16
!
Below example, 10.10.10.3 is denied from GUI and hotspot portal access, while all other users in 10.0.0.0/8 have both admin and hotspot access, and hotspot vlans users (from 172.16.0.0/xx) have only portal accesses.
!
firewall-input 10 deny all tcp dport 80 src 10.10.10.3 admin
firewall-input 11 permit all tcp dport 80 src 10.0.0.0/8 admin
!