07-25-2016 07:40 PM
Is there any detailed information around the OS level security between the Data and Management interfaces on a ClearPass server?
Aside from the IP black / whitelisting that can be configured - is there none?
Are the captive portal and management server functions run by the same web server instance?
This is a hot topic of conversation with some of our customers - some would say there is no value in having a dedicated Data / Mgmt port from a security perspective and that the entire appliance should sit in a DMZ.
Anyone out there had similar conversations? Thoughts?
08-29-2016 08:24 AM - edited 08-29-2016 08:44 AM
I would not bridge firewalls or security zones with any appliance.
Note, that I have a background in security and may be a bit over-paranoia.
My personal preference is to have physical separate appliances in the DMZ for guest and onboarding (untrusted traffic), from the internal (trusted, AD connected). This is derived from the theory that I learned a long time ago (when I had much more hair) that you should always ask yourself the question: assuming that an attacker compromises the appliance, what would be possible from that point? And always assume that a box is compromised at a certain moment in time. If it is not, you are probably lucky ;-) and you should not bet on luck.
If such a multi-homed appliance gives direct access to the internal/trusted network (ClearPass does have separated routing engines, but assume when the box is compromised, an attacker can manipulate that as well), you might be in trouble. In most case, if you are approaching this question from security, you should be very careful when bridging different security zones in your network.
For the same reason, I don't like the phenomenon of separate management networks, as if an attacker gets access to that network, she (or he) has full access to the kingdom. I prefer just to use the management port on ClearPass also to keep it simple. Leave data unconfigured.
The only multi-home appliance should be your firewall, as that is specifically designed for that. And recently with the exposed vulnerabilities on Cisco, Fortinet and Watchguard firewalls, we learned again that even for such an appliance that has been designed for the specific purpose of separating and filtering network segments, a small mistake can even render such a product vulnerable.
Other people, may look to this from a different perspective and come to different conclusions. Again, I might be considered a bit over-paranoia.
The final decision should be made by your security department who will perform a security assessment, and probably take the previous reasoning into account.
If you have urgent issues, please contact your Aruba partner or Aruba TAC (click for contact details).