Security

I have a customer with concerns that implementing a Clearpass with dual-interface (one in DMZ and 1 in corporate) will pose a security risk. Any technical arguments that I can offer them to allay their fears. CPPM will be configured of course to send any management back out the management and data port (DMZ) back out the data port.

In terms of security, it depends as far as I'm concerned. Primarily, it depends on the customer type. If it's military or some such, might be wise to put the Clearpass behind a firewall. It really comes down to governance and applicable industry regs for the customer. Having said that, if you're using an Aruba controller, the initial login role and architecture consistutes this (a firewall). Just make sure your rules are nice and tight!

 

There is an option in Clearpass (well, in recent versions certainly), to prevent admin from certain source subnets (maybe your DMZ). Screenshot attached.

 

Having said all that, I actually don't like having multiple interfaces as it increases complexity. This is nothing to do with security, but I find it simpler all around (mostly for the customer) if Clearpass has just one logical interface. I guess the validity of this for you depends on the architecture as a whole?

 

 

 

Oh, forgot to say, assuming you've got an Aruba controller, don't forget you can also use the stateful firewall to control DOS etc against the Clearpass/Captive portal.

They are connecting through a controller but do not want the guest traffic reaching clearpass via the corporate network  - its being routed to the DMZ via a dedicated port on an M3. We have proposed a second interface on clearpass to connect to the DMZ so its reachable by the guest traffic however as it has interfaces in both networks they are very nervous.

Easiest way to resolve those worries I find, is a thorough test process, which you show the customer at the time of install.

 

I.e. do port scans from a guest device to protected targets. Prove your firewall rules are working on the controller, and show deny rules being hit in the role on the controller?

 

 

CPPM is not configured as a router - session should not be routed through it. However, problems can occur with sessions terminating on CPPM (RADIUS, Web portal, etc). The default route points out of the data port's interface. Hence, if a session comes into the management port's interface, but the source IP network is unknown the response will go via the data port's interface. This is undesirable, typically these connections will not work. The solution is to manually add routes to all the non-local management networks via the management port's interface next hop(s) - this must be done on the CPPM's CLI. Note by default this problem does not occur with packets arriving on the data port's interface as the responses follow the default route.