Re: Discussion on where RADIUS server should be

From: Imhotep (NoSpam_at_NoThanks.com)
Date: 06/17/05

• Next message: Susan: "RE: Automatically updated?"
• Previous message: Doug Neal [MSFT]: "Re: New MSSecure.XML Version 2005.06.15.0 Now Available"
• In reply to: Marlon: "Re: Discussion on where RADIUS server should be"
• Next in thread: Phillip Windell: "Re: Dicussion on where RADIUS server should be"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 16 Jun 2005 16:01:10 -0700

Marlon wrote:

> Cisco VPN 3000
>
>
>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:Rumse.168$Lr4.96@fed1read03...
>> Marlon wrote:
>>
>> > Interesting. It is time to consider a new concentrator and I thought
> about
>> > using ISA instead and phasing out the Cisco one. Let me know whehter
>> > the VPN feature in ISA 2004 EE is not working alright for whatever
>> > reason.
>> >
>> >
>> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
>> > news:8fkse.153$Lr4.19@fed1read03...
>> >> Marlon wrote:
>> >>
>> >> > Thanks. In this case, the device that will pre-authenticate is ISA
> and
>> >> > that does not support RADIUS. I am using TACACS+ for the VPN
>> > concentrator
>> >> > though, since that is a Cisco box.
>> >> >
>> >> >
>> >> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
>> >> > news:xcjse.147$Lr4.42@fed1read03...
>> >> >> Marlon wrote:
>> >> >>
>> >> >> > All network diagrams I've seen so far indicates that a RADIUS
> server
>> >> >> > (Windows IAS, ACS, or whatever) should be placed in the
>> >> >> > 'internal'
>> >> > network
>> >> >> > and establish communications with DC's there. Then if an external
>> > user
>> >> >> > attempts to connect via VPN (DMZ), then I would allow only the
> ports
>> >> >> > necessary from the VPN concentrator to the RADIUS server and
>> >> >> > pre-authenticate users at that point.
>> >> >> >
>> >> >> > I have a security guy fellow here that tells me that the RADIUS
>> > server
>> >> >> > should be placed in the "DMZ" instead. Does this make sense at
>> >> >> > all
> ?
>> >> >>
>> >> >> As a general rule your authentication server (Radius, Tacacs, etc)
>> > SHOULD
>> >> > be
>> >> >> internal. Why? Because you really want to protect (and tightly
>> >> >> restrict control) this server from being hacked....Losing your
> Radius
>> >> >> server
>> > would
>> >> >> be a disaster!
>> >> >>
>> >> >> Now if your security guy is saying something like "we will put the
>> > Radius
>> >> >> server in it's own DMZ (ie by itself) and strictly control access
>> >> >> to
>> > it,
>> >> >> this is not a bad idea.
>> >> >>
>> >> >> Remember a couple of things about Radius, communications (sessions)
>> >> >> are
>> >> > NOT
>> >> >> encrypted (ie can be sniffed). I would highly recommend using
> TACACS++
>> >> >> instead of Radius...I would also suggest not using the domain
>> >> >> passwords
>> >> > for
>> >> >> your external (VPN) access. I would suggest using keyfobs instead.
>> >> >> Why? Because this would give multiple layers of security and force
>> >> >> a hacker/cracker to crack two accounts per person before getting
>> >> >> full
>> >> > access.
>> >> >> This also allows you to protect your self from weak user passwords,
>> > etc,
>> >> >> etc....
>> >> >>
>> >> >>
>> >> >> -Imhotep
>> >>
>> >> Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
>> >> concentrator. Personally I stay away for ISA because it has had a
> serious
>> >> "checked" past...and I do not hold it in high regards...
>> >>
>> >> -Im
>>
>> Personally I would keep the Cisco VPN concentrator. I would not replace
> it.
>> What model are you using? 3000 Series?
>>
>> -Im

Keep it. That is one of the best VPN concentrators you can get!

-Imhotep

---

• Next message: Susan: "RE: Automatically updated?"
• Previous message: Doug Neal [MSFT]: "Re: New MSSecure.XML Version 2005.06.15.0 Now Available"
• In reply to: Marlon: "Re: Discussion on where RADIUS server should be"
• Next in thread: Phillip Windell: "Re: Dicussion on where RADIUS server should be"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: SMTP service on Cisco VPN Concentrator ... I was carrying out a pen-test on a Cisco VPN Concentrator, ... nessus 3.0 scan discovered a number of mail-related ports such as SMTP ... Is there anyone has more information on these smtp proxy services on ... vulnerability management needs. ... (Pen-Test) RE: VPN concentrator placement ... We used a port on our Pix 515 to plug the public port of the ... The VPN Concentrator Is not a firewall and has lots of Holes out of the box ... I am doing a new install of a Cisco VPN concentrator on our existing network ... (Security-Basics) IAS 2003 for Cisco VPN Authorization (MS A.D. Group Lookup) ... we are using Cisco VPN concentrator and Cisco ... How can we use IAS 2003 to do just this job of a group lookup in the ... Since Cisco VPN concentrator performs Authentication ... (microsoft.public.internet.radius) DNS resolution problem with cisco vpn concentrator ... I have found that our Cisco VPN concentrator is now unable to ... access mapped drives by UNC; I just receive an access denied error. ... I have confirmed with Cisco that the VPN settings are ... from the VPN concentrator by name and IP address. ... (microsoft.public.windows.server.networking) RE: Cisco VPN Concentrator GUI ... Also it could just be the browser login interface for Cisco 3002 HW ... Subject: Cisco VPN Concentrator GUI ... (Pen-Test)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)