Not explicitly as far as I'm aware. There is a Service Routing Guide that explains how it works if you use two interfaces but there is no claim on any security benefits, which are not there. Most people use data & management port because it sounds secure, but in practice it's two interfaces into the same system which eliminates any security benefit as far as I can see. My personal opinion that you should not use multiple interfaces in any application server if those interfaces are connected in different security zones, because if you have a compromise of the system in one zone, an attacker can have access to the other zone. The name data & management port suggest that there is a hard separation, which is not there. The use of data & management port brings in additional complexity (see service routing guide). For security my suggestion is to keep things as simple as possible, and data + management brings in additional complexity, and does double your attack surface instead of reducing it. Exceptions are always there, but it's just easier not to go that direction unless you absolutely need it and are fully aware of the additional risks. Using the data interface for guest traffic may save money but at the cost of reduced security. If you would do a NAT for guest traffic to a single interface ClearPass that sits inside your network, you have the security equivalent of ClearPass with mgmt port internal and dataport in the DMZ. Most organizations won't even consider NATting guest traffic to the internal network, but would isolate that in the DMZ. If you won't allow NAT to a single interface, then don't use the data interface. I have seen a few situations with service providers where there is a customer routing domain and one for the management by the service provider, but both interfaces were firewalled, data by customer, mgmt by the service provider. To solve routing challenges, using multiple interfaces can be a good solution. Just not with the intention of additional security (in most cases as explained).
Note that for me it is generic security practice to not cross any device over multiple security zones, except for firewalls that are designed specifically for that and don't do anything else.
Also, ClearPass is actively tested and kept up to date for potential security vulnerabilities, but if you don't need to take the risk, I just would avoid it.
Hope this explanation helps in the understanding and optimizing your design. As always, exceptions do exist, just take care of your evaluation of functionality vs risk with the proper data.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Mar 03, 2023 05:20 AM
From: afedeli
Subject: Data and management port design questions
Hello Herman,
is there any official documentation where it is noted that the use of data port is not recommended? I am trying to find it out in the web but with no success.
Kind regards
Alessandro