Re: Placement of Strong Authentication Servers

[Adam Shostack <adam () homeport org>]

On Mon, Feb 01, 1999 at 05:12:31PM -0700, Matt McClung, CCSA/CCSE wrote:
| I haven't seen a discussion of your Strong Authentication Server on this
| list yet.  I am looking at installing a new Auth Server to provide strong
| user authentication.  My question is just where do you put it?

Who is going to use it?

| My thought I to have a separate network off the firewall for the server
| itself and nothing else.  The management could be from the internal network
| and controlled by your FW policy and user authentication.

        Thats way to close to a single point of failure for many
situations.  If the server is going to be used only for FW traversal,
you may be ok.

| I don't think that you would want that information traversing your internal
| network so that's why I would suggest the above configuration.

        If your strong auth server is at all decent, it should be
using strong authentication and crypto so that the information can
safely traverse any network.

        Note that both auth servers I've looked at (ACE/Server and
FWTK1 with the unsupported crypto patch) failed this test.

| This works great if you are only doing Internet/Extranet type
| authentication, but what do you do when you need to provide the same
| services for an inside service?

        In that case, I'd put it close to the highest traffic/highest
importance servers based on cost of downtime to reduce the failure
points between the systems.  Use packet filtering on the box and
nearby routers to protect it from attack.

Adam


-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume