disable http management pages

  • 1
  • Question
  • Updated 5 years ago
  • Answered
We have recently had a security audit and they have highlighted that the aerohives management pages can be access via HTTP.

Is there any way to turn off HTTP access and only manage them through HTTPS from the local lan.
Photo of richard

richard

  • 2 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This is a common security vulnerability, many systems allow either:

1) Full HTTP access in parallel to HTTPS access.
2) A HTTP request to be transparently redirected to HTTPS URL.

A mitigation to secure up the point 2 approach is a HSTS header, but this is only supported by Firefox and Chrome.

Another solution is to put a page up over HTTP that explains that the service must be accessed over HTTPS and explicitly forces a user to correct the address in the address bar, ensuring any links/shortcuts are quickly corrected. This is the one I prefer.

The best solution is to deny all HTTP and ensure that management comes in on a HTTPS url, but that is not all that friendly.
Photo of richard

richard

  • 2 Posts
  • 0 Reply Likes
how can we deny http requests to the Aerohives. i've had a look and cant find any settings in teh myhive manager
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Richard,
I assume you are talking about the embedded web server, used for captive web portals and for emergency local administration of the devices? This is configured in the Network Policy, under Advanced Settings, Service Settings. There's a checkbox to enable/disable the web server. Please note that unchecking this will also disable the CWP pages.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
I think he's looking for something more granular than that.