Re: Placement of Strong Authentication Servers

[Riccardo Fontana <rfontana () seclab com>]

What do you mean for Strong Authentication ?

(IMHO)
If you use an auth. server with either Tacacs+ or Radius in combination
with some kind of hardware-token (like Vasco, Secure-ID, CryptoCard
ecc.), there are very little differences if you put it on a service
network or on Internal network.

Some problems can arise if the auth. server is not a strong machine
(i.e. every user can log on from the network with any kind of rights),
if so it's a recommendable configuration to put that server on a service
network with some restriction on the policy to let only a few
authenticated user to gain access to it.


Bye

Matt McClung, CCSA/CCSE wrote:
> I haven't seen a discussion of your Strong Authentication Server on this
> list yet.  I am looking at installing a new Auth Server to provide strong
> user authentication.  My question is just where do you put it?
>
> My thought I to have a separate network off the firewall for the server
> itself and nothing else.  The management could be from the internal network
> and controlled by your FW policy and user authentication.
>
> I don't think that you would want that information traversing your internal
> network so that's why I would suggest the above configuration.
>
> This works great if you are only doing Internet/Extranet type
> authentication, but what do you do when you need to provide the same
> services for an inside service?
>
> Bandwidth, management and security measurements tell me the same
> configuration works well in most scenarios....
>
> Your comments are welcome...
>
> Matt

-- 
Riccardo Fontana
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: rfontana () seclab com