Dicussion on where RADIUS server should be

All network diagrams I've seen so far indicates that a RADIUS server
(Windows IAS, ACS, or whatever) should be placed in the 'internal' network
and establish communications with DC's there. Then if an external user
attempts to connect via VPN (DMZ), then I would allow only the ports
necessary from the VPN concentrator to the RADIUS server and
pre-authenticate users at that point.

I have a security guy fellow here that tells me that the RADIUS server
should be placed in the "DMZ" instead. Does this make sense at all ?

Phillip
Thu Jun 16 12:07:45 CDT 2005

I would say it goes on the Internal side. But it may make a difference if
you are talking about a MS Based RADIUS Server or one from a third party.
Also, as with most things,...there is probably more than one way to do it.
You would have to analyse the pros and cons of each method and decide which
is more appropriate in a particular given situation.

Just beware of the excessive "paranoia" of some people,...they can lead you
down a long winding complex path "in the name of security" that does nothing
more than make things so overly complex that you can not manage the
system,...or worse yet, don't understand the system. This in itself can
cause you to make mistakes which create even more new "risks" besides the
ones your were trying to avoid in the first place. Stay within your
"means", stay within what you can understand and manage dependably.


--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Marlon" <marlon-nospam@hotmail.com> wrote in message
news:OFTiwOpcFHA.2212@TK2MSFTNGP14.phx.gbl...
> All network diagrams I've seen so far indicates that a RADIUS server
> (Windows IAS, ACS, or whatever) should be placed in the 'internal' network
> and establish communications with DC's there. Then if an external user
> attempts to connect via VPN (DMZ), then I would allow only the ports
> necessary from the VPN concentrator to the RADIUS server and
> pre-authenticate users at that point.
>
> I have a security guy fellow here that tells me that the RADIUS server
> should be placed in the "DMZ" instead. Does this make sense at all ?
>
>

Imhotep
Thu Jun 16 13:06:24 CDT 2005

Marlon wrote:

> All network diagrams I've seen so far indicates that a RADIUS server
> (Windows IAS, ACS, or whatever) should be placed in the 'internal' network
> and establish communications with DC's there. Then if an external user
> attempts to connect via VPN (DMZ), then I would allow only the ports
> necessary from the VPN concentrator to the RADIUS server and
> pre-authenticate users at that point.
>
> I have a security guy fellow here that tells me that the RADIUS server
> should be placed in the "DMZ" instead. Does this make sense at all ?

As a general rule your authentication server (Radius, Tacacs, etc) SHOULD be
internal. Why? Because you really want to protect (and tightly restrict
control) this server from being hacked....Losing your Radius server would
be a disaster!

Now if your security guy is saying something like "we will put the Radius
server in it's own DMZ (ie by itself) and strictly control access to it,
this is not a bad idea.

Remember a couple of things about Radius, communications (sessions) are NOT
encrypted (ie can be sniffed). I would highly recommend using TACACS++
instead of Radius...I would also suggest not using the domain passwords for
your external (VPN) access. I would suggest using keyfobs instead. Why?
Because this would give multiple layers of security and force a
hacker/cracker to crack two accounts per person before getting full access.
This also allows you to protect your self from weak user passwords, etc,
etc....


-Imhotep

Marlon
Thu Jun 16 13:38:02 CDT 2005

Thanks. In this case, the device that will pre-authenticate is ISA and that
does not support RADIUS. I am using TACACS+ for the VPN concentrator though,
since that is a Cisco box.


"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:xcjse.147$Lr4.42@fed1read03...
> Marlon wrote:
>
> > All network diagrams I've seen so far indicates that a RADIUS server
> > (Windows IAS, ACS, or whatever) should be placed in the 'internal'
network
> > and establish communications with DC's there. Then if an external user
> > attempts to connect via VPN (DMZ), then I would allow only the ports
> > necessary from the VPN concentrator to the RADIUS server and
> > pre-authenticate users at that point.
> >
> > I have a security guy fellow here that tells me that the RADIUS server
> > should be placed in the "DMZ" instead. Does this make sense at all ?
>
> As a general rule your authentication server (Radius, Tacacs, etc) SHOULD
be
> internal. Why? Because you really want to protect (and tightly restrict
> control) this server from being hacked....Losing your Radius server would
> be a disaster!
>
> Now if your security guy is saying something like "we will put the Radius
> server in it's own DMZ (ie by itself) and strictly control access to it,
> this is not a bad idea.
>
> Remember a couple of things about Radius, communications (sessions) are
NOT
> encrypted (ie can be sniffed). I would highly recommend using TACACS++
> instead of Radius...I would also suggest not using the domain passwords
for
> your external (VPN) access. I would suggest using keyfobs instead. Why?
> Because this would give multiple layers of security and force a
> hacker/cracker to crack two accounts per person before getting full
access.
> This also allows you to protect your self from weak user passwords, etc,
> etc....
>
>
> -Imhotep

Imhotep
Thu Jun 16 14:17:27 CDT 2005

Marlon wrote:

> Thanks. In this case, the device that will pre-authenticate is ISA and
> that does not support RADIUS. I am using TACACS+ for the VPN concentrator
> though, since that is a Cisco box.
>
>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:xcjse.147$Lr4.42@fed1read03...
>> Marlon wrote:
>>
>> > All network diagrams I've seen so far indicates that a RADIUS server
>> > (Windows IAS, ACS, or whatever) should be placed in the 'internal'
> network
>> > and establish communications with DC's there. Then if an external user
>> > attempts to connect via VPN (DMZ), then I would allow only the ports
>> > necessary from the VPN concentrator to the RADIUS server and
>> > pre-authenticate users at that point.
>> >
>> > I have a security guy fellow here that tells me that the RADIUS server
>> > should be placed in the "DMZ" instead. Does this make sense at all ?
>>
>> As a general rule your authentication server (Radius, Tacacs, etc) SHOULD
> be
>> internal. Why? Because you really want to protect (and tightly restrict
>> control) this server from being hacked....Losing your Radius server would
>> be a disaster!
>>
>> Now if your security guy is saying something like "we will put the Radius
>> server in it's own DMZ (ie by itself) and strictly control access to it,
>> this is not a bad idea.
>>
>> Remember a couple of things about Radius, communications (sessions) are
> NOT
>> encrypted (ie can be sniffed). I would highly recommend using TACACS++
>> instead of Radius...I would also suggest not using the domain passwords
> for
>> your external (VPN) access. I would suggest using keyfobs instead. Why?
>> Because this would give multiple layers of security and force a
>> hacker/cracker to crack two accounts per person before getting full
> access.
>> This also allows you to protect your self from weak user passwords, etc,
>> etc....
>>
>>
>> -Imhotep

Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
concentrator. Personally I stay away for ISA because it has had a serious
"checked" past...and I do not hold it in high regards...

-Im

Phillip
Thu Jun 16 14:38:15 CDT 2005

I have full confidence in both Cisco's Device and ISA. I do not believe ISA
has a "past",... unless you consider that fact that there has never been a
properly configured, properly administered ISA Server ever get "hacked",...
to be a "past".

--

Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com


"Marlon" <marlon-nospam@hotmail.com> wrote in message
news:OS59jKqcFHA.4040@TK2MSFTNGP10.phx.gbl...
> Thanks. In this case, the device that will pre-authenticate is ISA and
that
> does not support RADIUS. I am using TACACS+ for the VPN concentrator
though,
> since that is a Cisco box.

Marlon
Thu Jun 16 14:59:53 CDT 2005

Interesting. It is time to consider a new concentrator and I thought about
using ISA instead and phasing out the Cisco one. Let me know whehter the VPN
feature in ISA 2004 EE is not working alright for whatever reason.


"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:8fkse.153$Lr4.19@fed1read03...
> Marlon wrote:
>
> > Thanks. In this case, the device that will pre-authenticate is ISA and
> > that does not support RADIUS. I am using TACACS+ for the VPN
concentrator
> > though, since that is a Cisco box.
> >
> >
> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
> > news:xcjse.147$Lr4.42@fed1read03...
> >> Marlon wrote:
> >>
> >> > All network diagrams I've seen so far indicates that a RADIUS server
> >> > (Windows IAS, ACS, or whatever) should be placed in the 'internal'
> > network
> >> > and establish communications with DC's there. Then if an external
user
> >> > attempts to connect via VPN (DMZ), then I would allow only the ports
> >> > necessary from the VPN concentrator to the RADIUS server and
> >> > pre-authenticate users at that point.
> >> >
> >> > I have a security guy fellow here that tells me that the RADIUS
server
> >> > should be placed in the "DMZ" instead. Does this make sense at all ?
> >>
> >> As a general rule your authentication server (Radius, Tacacs, etc)
SHOULD
> > be
> >> internal. Why? Because you really want to protect (and tightly restrict
> >> control) this server from being hacked....Losing your Radius server
would
> >> be a disaster!
> >>
> >> Now if your security guy is saying something like "we will put the
Radius
> >> server in it's own DMZ (ie by itself) and strictly control access to
it,
> >> this is not a bad idea.
> >>
> >> Remember a couple of things about Radius, communications (sessions) are
> > NOT
> >> encrypted (ie can be sniffed). I would highly recommend using TACACS++
> >> instead of Radius...I would also suggest not using the domain passwords
> > for
> >> your external (VPN) access. I would suggest using keyfobs instead. Why?
> >> Because this would give multiple layers of security and force a
> >> hacker/cracker to crack two accounts per person before getting full
> > access.
> >> This also allows you to protect your self from weak user passwords,
etc,
> >> etc....
> >>
> >>
> >> -Imhotep
>
> Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
> concentrator. Personally I stay away for ISA because it has had a serious
> "checked" past...and I do not hold it in high regards...
>
> -Im

Imhotep
Thu Jun 16 16:49:23 CDT 2005

Phillip Windell wrote:

> I have full confidence in both Cisco's Device and ISA. I do not believe
> ISA
> has a "past",... unless you consider that fact that there has never been
> a properly configured, properly administered ISA Server ever get
> "hacked",... to be a "past".
>

Sorry but as a security professional I would never use it....never...

-Im

Imhotep
Thu Jun 16 16:50:44 CDT 2005

Marlon wrote:

> Interesting. It is time to consider a new concentrator and I thought about
> using ISA instead and phasing out the Cisco one. Let me know whehter the
> VPN feature in ISA 2004 EE is not working alright for whatever reason.
>
>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:8fkse.153$Lr4.19@fed1read03...
>> Marlon wrote:
>>
>> > Thanks. In this case, the device that will pre-authenticate is ISA and
>> > that does not support RADIUS. I am using TACACS+ for the VPN
> concentrator
>> > though, since that is a Cisco box.
>> >
>> >
>> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
>> > news:xcjse.147$Lr4.42@fed1read03...
>> >> Marlon wrote:
>> >>
>> >> > All network diagrams I've seen so far indicates that a RADIUS server
>> >> > (Windows IAS, ACS, or whatever) should be placed in the 'internal'
>> > network
>> >> > and establish communications with DC's there. Then if an external
> user
>> >> > attempts to connect via VPN (DMZ), then I would allow only the ports
>> >> > necessary from the VPN concentrator to the RADIUS server and
>> >> > pre-authenticate users at that point.
>> >> >
>> >> > I have a security guy fellow here that tells me that the RADIUS
> server
>> >> > should be placed in the "DMZ" instead. Does this make sense at all ?
>> >>
>> >> As a general rule your authentication server (Radius, Tacacs, etc)
> SHOULD
>> > be
>> >> internal. Why? Because you really want to protect (and tightly
>> >> restrict control) this server from being hacked....Losing your Radius
>> >> server
> would
>> >> be a disaster!
>> >>
>> >> Now if your security guy is saying something like "we will put the
> Radius
>> >> server in it's own DMZ (ie by itself) and strictly control access to
> it,
>> >> this is not a bad idea.
>> >>
>> >> Remember a couple of things about Radius, communications (sessions)
>> >> are
>> > NOT
>> >> encrypted (ie can be sniffed). I would highly recommend using TACACS++
>> >> instead of Radius...I would also suggest not using the domain
>> >> passwords
>> > for
>> >> your external (VPN) access. I would suggest using keyfobs instead.
>> >> Why? Because this would give multiple layers of security and force a
>> >> hacker/cracker to crack two accounts per person before getting full
>> > access.
>> >> This also allows you to protect your self from weak user passwords,
> etc,
>> >> etc....
>> >>
>> >>
>> >> -Imhotep
>>
>> Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
>> concentrator. Personally I stay away for ISA because it has had a serious
>> "checked" past...and I do not hold it in high regards...
>>
>> -Im

Personally I would keep the Cisco VPN concentrator. I would not replace it.
What model are you using? 3000 Series?

-Im

Marlon
Thu Jun 16 17:03:23 CDT 2005

Cisco VPN 3000



"Imhotep" <NoSpam@NoThanks.com> wrote in message
news:Rumse.168$Lr4.96@fed1read03...
> Marlon wrote:
>
> > Interesting. It is time to consider a new concentrator and I thought
about
> > using ISA instead and phasing out the Cisco one. Let me know whehter the
> > VPN feature in ISA 2004 EE is not working alright for whatever reason.
> >
> >
> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
> > news:8fkse.153$Lr4.19@fed1read03...
> >> Marlon wrote:
> >>
> >> > Thanks. In this case, the device that will pre-authenticate is ISA
and
> >> > that does not support RADIUS. I am using TACACS+ for the VPN
> > concentrator
> >> > though, since that is a Cisco box.
> >> >
> >> >
> >> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
> >> > news:xcjse.147$Lr4.42@fed1read03...
> >> >> Marlon wrote:
> >> >>
> >> >> > All network diagrams I've seen so far indicates that a RADIUS
server
> >> >> > (Windows IAS, ACS, or whatever) should be placed in the 'internal'
> >> > network
> >> >> > and establish communications with DC's there. Then if an external
> > user
> >> >> > attempts to connect via VPN (DMZ), then I would allow only the
ports
> >> >> > necessary from the VPN concentrator to the RADIUS server and
> >> >> > pre-authenticate users at that point.
> >> >> >
> >> >> > I have a security guy fellow here that tells me that the RADIUS
> > server
> >> >> > should be placed in the "DMZ" instead. Does this make sense at all
?
> >> >>
> >> >> As a general rule your authentication server (Radius, Tacacs, etc)
> > SHOULD
> >> > be
> >> >> internal. Why? Because you really want to protect (and tightly
> >> >> restrict control) this server from being hacked....Losing your
Radius
> >> >> server
> > would
> >> >> be a disaster!
> >> >>
> >> >> Now if your security guy is saying something like "we will put the
> > Radius
> >> >> server in it's own DMZ (ie by itself) and strictly control access to
> > it,
> >> >> this is not a bad idea.
> >> >>
> >> >> Remember a couple of things about Radius, communications (sessions)
> >> >> are
> >> > NOT
> >> >> encrypted (ie can be sniffed). I would highly recommend using
TACACS++
> >> >> instead of Radius...I would also suggest not using the domain
> >> >> passwords
> >> > for
> >> >> your external (VPN) access. I would suggest using keyfobs instead.
> >> >> Why? Because this would give multiple layers of security and force a
> >> >> hacker/cracker to crack two accounts per person before getting full
> >> > access.
> >> >> This also allows you to protect your self from weak user passwords,
> > etc,
> >> >> etc....
> >> >>
> >> >>
> >> >> -Imhotep
> >>
> >> Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
> >> concentrator. Personally I stay away for ISA because it has had a
serious
> >> "checked" past...and I do not hold it in high regards...
> >>
> >> -Im
>
> Personally I would keep the Cisco VPN concentrator. I would not replace
it.
> What model are you using? 3000 Series?
>
> -Im

Imhotep
Thu Jun 16 18:01:10 CDT 2005

Marlon wrote:

> Cisco VPN 3000
>
>
>
> "Imhotep" <NoSpam@NoThanks.com> wrote in message
> news:Rumse.168$Lr4.96@fed1read03...
>> Marlon wrote:
>>
>> > Interesting. It is time to consider a new concentrator and I thought
> about
>> > using ISA instead and phasing out the Cisco one. Let me know whehter
>> > the VPN feature in ISA 2004 EE is not working alright for whatever
>> > reason.
>> >
>> >
>> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
>> > news:8fkse.153$Lr4.19@fed1read03...
>> >> Marlon wrote:
>> >>
>> >> > Thanks. In this case, the device that will pre-authenticate is ISA
> and
>> >> > that does not support RADIUS. I am using TACACS+ for the VPN
>> > concentrator
>> >> > though, since that is a Cisco box.
>> >> >
>> >> >
>> >> > "Imhotep" <NoSpam@NoThanks.com> wrote in message
>> >> > news:xcjse.147$Lr4.42@fed1read03...
>> >> >> Marlon wrote:
>> >> >>
>> >> >> > All network diagrams I've seen so far indicates that a RADIUS
> server
>> >> >> > (Windows IAS, ACS, or whatever) should be placed in the
>> >> >> > 'internal'
>> >> > network
>> >> >> > and establish communications with DC's there. Then if an external
>> > user
>> >> >> > attempts to connect via VPN (DMZ), then I would allow only the
> ports
>> >> >> > necessary from the VPN concentrator to the RADIUS server and
>> >> >> > pre-authenticate users at that point.
>> >> >> >
>> >> >> > I have a security guy fellow here that tells me that the RADIUS
>> > server
>> >> >> > should be placed in the "DMZ" instead. Does this make sense at
>> >> >> > all
> ?
>> >> >>
>> >> >> As a general rule your authentication server (Radius, Tacacs, etc)
>> > SHOULD
>> >> > be
>> >> >> internal. Why? Because you really want to protect (and tightly
>> >> >> restrict control) this server from being hacked....Losing your
> Radius
>> >> >> server
>> > would
>> >> >> be a disaster!
>> >> >>
>> >> >> Now if your security guy is saying something like "we will put the
>> > Radius
>> >> >> server in it's own DMZ (ie by itself) and strictly control access
>> >> >> to
>> > it,
>> >> >> this is not a bad idea.
>> >> >>
>> >> >> Remember a couple of things about Radius, communications (sessions)
>> >> >> are
>> >> > NOT
>> >> >> encrypted (ie can be sniffed). I would highly recommend using
> TACACS++
>> >> >> instead of Radius...I would also suggest not using the domain
>> >> >> passwords
>> >> > for
>> >> >> your external (VPN) access. I would suggest using keyfobs instead.
>> >> >> Why? Because this would give multiple layers of security and force
>> >> >> a hacker/cracker to crack two accounts per person before getting
>> >> >> full
>> >> > access.
>> >> >> This also allows you to protect your self from weak user passwords,
>> > etc,
>> >> >> etc....
>> >> >>
>> >> >>
>> >> >> -Imhotep
>> >>
>> >> Cool. I am glad you are not using Radius. Cisco makes a damn good VPN
>> >> concentrator. Personally I stay away for ISA because it has had a
> serious
>> >> "checked" past...and I do not hold it in high regards...
>> >>
>> >> -Im
>>
>> Personally I would keep the Cisco VPN concentrator. I would not replace
> it.
>> What model are you using? 3000 Series?
>>
>> -Im

Keep it. That is one of the best VPN concentrators you can get!

-Imhotep