Firewall Wizards mailing list archives
Re: Placement of Strong Authentication Servers
From: Adam Shostack <adam () homeport org>
Date: Tue, 2 Feb 1999 10:00:06 -0500
On Mon, Feb 01, 1999 at 05:12:31PM -0700, Matt McClung, CCSA/CCSE wrote: | I haven't seen a discussion of your Strong Authentication Server on this | list yet. I am looking at installing a new Auth Server to provide strong | user authentication. My question is just where do you put it? Who is going to use it? | My thought I to have a separate network off the firewall for the server | itself and nothing else. The management could be from the internal network | and controlled by your FW policy and user authentication. Thats way to close to a single point of failure for many situations. If the server is going to be used only for FW traversal, you may be ok. | I don't think that you would want that information traversing your internal | network so that's why I would suggest the above configuration. If your strong auth server is at all decent, it should be using strong authentication and crypto so that the information can safely traverse any network. Note that both auth servers I've looked at (ACE/Server and FWTK1 with the unsupported crypto patch) failed this test. | This works great if you are only doing Internet/Extranet type | authentication, but what do you do when you need to provide the same | services for an inside service? In that case, I'd put it close to the highest traffic/highest importance servers based on cost of downtime to reduce the failure points between the systems. Use packet filtering on the box and nearby routers to protect it from attack. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume
Current thread:
- Placement of Strong Authentication Servers Matt McClung, CCSA/CCSE (Feb 01)
- Re: Placement of Strong Authentication Servers Adam Shostack (Feb 02)
- Re: Placement of Strong Authentication Servers Paul D. Robertson (Feb 02)
- Re: Placement of Strong Authentication Servers Riccardo Fontana (Feb 04)