Firewall Wizards: Re: Radius access from provider to internal MS ISA Server

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: Radius access from provider to internal MS ISA Server

From: Paul Robertson <proberts () patriot net>
Date: Thu, 4 Jul 2002 18:56:06 -0400 (EDT)

On Thu, 4 Jul 2002, Christoph Steigmeier wrote:

Hello

Our network-engineers are planing a vpn. The access should be done through
a selected local internet provider. The authentication for the
ppp-connection to the provider should be authenticated using the chap
protocol which is then forwarded from the isp's dialin to our radius
server in our corporate network to validate uid/pw. After this the
vpn-connection can be initialized through our vpn-gateways.

My question: I am not sure if it is good to allow the providers
radius-proxys to access our radiusservers (MS ISA) in our internal net
without an additional radiusproxy in our dmz. Our engineers argument, that
these will be expensive and pointless, because only the ip from the
providers radius would be granted, and that dos- and spoofing protection
on the firewalls is enough, and that an additional radiusproxy will not
prohibit unauthorized use of the connection. I am also not so sure if it
is a good thing to administrate both rights in one directory eg.


I prefer to keep internal and external authentication realms different, so 
that compromise of the credentials is limited in scope (your ISP will be 
able to sniff the CHAP authentication.)  If you're using one-time tokens, 
that's not a big deal, if you've got administrative users coming in with 
passwords, then it may be.  I'd vote for seperate authentication servers in 
the DMZ with just the ISP's servers able to access them, but it probably 
requires an additional set of credentials for users (I'm not sure that's 
bad, lots of people tend to disagree.)

Given the price of PCs, cost shouldn't be much of an issue.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assesment, TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Radius access from provider to internal MS ISA Server Christoph Steigmeier (Jul 04)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 04)
  - RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 05)
    - RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
    - Re: Radius access from provider to internal MS ISA Server Kyle R. Hofmann (Jul 05)
    - Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
    - RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)