12-13-2013 01:18 AM
I have a customer with concerns that implementing a Clearpass with dual-interface (one in DMZ and 1 in corporate) will pose a security risk. Any technical arguments that I can offer them to allay their fears. CPPM will be configured of course to send any management back out the management and data port (DMZ) back out the data port.
12-13-2013 04:59 AM
In terms of security, it depends as far as I'm concerned. Primarily, it depends on the customer type. If it's military or some such, might be wise to put the Clearpass behind a firewall. It really comes down to governance and applicable industry regs for the customer. Having said that, if you're using an Aruba controller, the initial login role and architecture consistutes this (a firewall). Just make sure your rules are nice and tight!
There is an option in Clearpass (well, in recent versions certainly), to prevent admin from certain source subnets (maybe your DMZ). Screenshot attached.
Having said all that, I actually don't like having multiple interfaces as it increases complexity. This is nothing to do with security, but I find it simpler all around (mostly for the customer) if Clearpass has just one logical interface. I guess the validity of this for you depends on the architecture as a whole?
12-13-2013 05:01 AM
Oh, forgot to say, assuming you've got an Aruba controller, don't forget you can also use the stateful firewall to control DOS etc against the Clearpass/Captive portal.
12-13-2013 06:56 AM
They are connecting through a controller but do not want the guest traffic reaching clearpass via the corporate network - its being routed to the DMZ via a dedicated port on an M3. We have proposed a second interface on clearpass to connect to the DMZ so its reachable by the guest traffic however as it has interfaces in both networks they are very nervous.
12-13-2013 07:06 AM
Easiest way to resolve those worries I find, is a thorough test process, which you show the customer at the time of install.
I.e. do port scans from a guest device to protected targets. Prove your firewall rules are working on the controller, and show deny rules being hit in the role on the controller?
12-15-2013 12:25 AM