Security

 View Only
last person joined: yesterday 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

Docker in ClearPass and other Aruba products

This thread has been viewed 15 times

  • 1.  Docker in ClearPass and other Aruba products

    Posted Jan 27, 2023 08:20 AM

    Hi

    The security department of one of my customers have concerns about Docker in the Aruba products. The have a company policy prohibiting the use of docker in the company, but they run several Aruba products including ClearPass, Mobility Conductor, Mobility controllers with AP's, AOS switches, and Airwa    ve.

    As ClearPass and Airwave both have Docker installed it has been raised as a question if the Docker service is essential and if it can be disabled in any way?
    In ClearPass Docker is utilized for the extensions, and this customer doesn't have any extensions installed at the moment.
    I don't know how Docker is utilized in Airwave.

    Would it be possible to disable Docker, in ClearPass and Airwave, and is Docker in use in other products such as AOS 8 mobility controller and Mobility Conductor?

    If it's possible to permanently disable Docker, I assume it will require assistance from TAC. Also I assume that it may be automatically enabled again after each upgrade/update.



    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------


  • 2.  RE: Docker in ClearPass and other Aruba products

    EMPLOYEE
    Posted Jan 27, 2023 08:53 AM
    I don't think you can disable/remove such features from products. Note that both ClearPass and Airwave don't offer access to the shell or to subsystems like docker. These are appliance products, carefully designed and hardened, not a generic operating system that requires hardening. The idea of appliances is that you don't need to care what is inside of it.

    The purpose of docker is to isolate processes and reduce the attack-surface for specific software components, so the way is it implemented is to improve security.

    You may try and ask TAC if they can disable it, but you will quite likely end up in an unsupported situation. Or, if you understand the risks the security team is trying to mitigate, you can work with your Aruba SE to bring this to the ClearPass product team to evaluate.

    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

    In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
    ------------------------------

    Original Message


  • 3.  RE: Docker in ClearPass and other Aruba products

    Posted Jan 27, 2023 09:27 AM
    Thanks

    I totally agree, just need to convince the customer about this...

    ------------------------------
    Best Regards
    Jonas Hammarbäck
    MVP 2023, ACCX #1335, ACMP, ACDP, ACP-Network Security, ACEP, ACSA
    Aranya AB
    If you find my answer useful, consider giving kudos and/or mark as solution
    ------------------------------

    Original Message