Re: [fw-wiz] Radius access from provider to internal MS ISA Server

From: Paul Robertson (proberts@patriot.net)
Date: 07/04/02


From: Paul Robertson <proberts@patriot.net>
To: Christoph Steigmeier <chris@hypernet.ch>
Date: Thu Jul  4 18:56:00 2002

On Thu, 4 Jul 2002, Christoph Steigmeier wrote:

> Hello
>
> Our network-engineers are planing a vpn. The access should be done through
> a selected local internet provider. The authentication for the
> ppp-connection to the provider should be authenticated using the chap
> protocol which is then forwarded from the isp's dialin to our radius
> server in our corporate network to validate uid/pw. After this the
> vpn-connection can be initialized through our vpn-gateways.
>
> My question: I am not sure if it is good to allow the providers
> radius-proxys to access our radiusservers (MS ISA) in our internal net
> without an additional radiusproxy in our dmz. Our engineers argument, that
> these will be expensive and pointless, because only the ip from the
> providers radius would be granted, and that dos- and spoofing protection
> on the firewalls is enough, and that an additional radiusproxy will not
> prohibit unauthorized use of the connection. I am also not so sure if it
> is a good thing to administrate both rights in one directory eg.

I prefer to keep internal and external authentication realms different, so
that compromise of the credentials is limited in scope (your ISP will be
able to sniff the CHAP authentication.) If you're using one-time tokens,
that's not a big deal, if you've got administrative users coming in with
passwords, then it may be. I'd vote for seperate authentication servers in
the DMZ with just the ISP's servers able to access them, but it probably
requires an additional set of credentials for users (I'm not sure that's
bad, lots of people tend to disagree.)

Given the price of PCs, cost shouldn't be much of an issue.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assesment, TruSecure Corporation



Relevant Pages

  • [fw-wiz] Radius access from provider to internal MS ISA Server
    ... a selected local internet provider. ... The authentication for the ... without an additional radiusproxy in our dmz. ...
    (Firewall-Wizards)
  • Re: Web Site Configuration for remote users
    ... My site uses Accounts, Roles etc and I'd like to rip out my custom ... A proper method to distribute this to my provider (a .net hosting ... Authentication ... Also, on a brand new WS2003 machine, the Config site is there, but ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Defining Groups with AD users
    ... For ASP.NET authentication and role based authorization, ... you can configure the membership to use AD ... membership provider and Rolemanager to use SQL server provider. ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: ASP.NET 2.0 Authentication pattern
    ... > - create custom IIdentity for additional user information ... You need to think about authentication as a seperate "silo" of functionality ... The provider architecture handles these ... areas out into its own provider and backing data store. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: Defining Groups with AD users
    ... For ASP.NET authentication and role based authorization, ... you can configure the membership to use AD ... membership provider and Rolemanager to use SQL server provider. ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet.security)