Firewall Wizards mailing list archives
Re: Placement of Strong Authentication Servers
From: Riccardo Fontana <rfontana () seclab com>
Date: Wed, 03 Feb 1999 18:35:37 +0100
What do you mean for Strong Authentication ? (IMHO) If you use an auth. server with either Tacacs+ or Radius in combination with some kind of hardware-token (like Vasco, Secure-ID, CryptoCard ecc.), there are very little differences if you put it on a service network or on Internal network. Some problems can arise if the auth. server is not a strong machine (i.e. every user can log on from the network with any kind of rights), if so it's a recommendable configuration to put that server on a service network with some restriction on the policy to let only a few authenticated user to gain access to it. Bye Matt McClung, CCSA/CCSE wrote:
I haven't seen a discussion of your Strong Authentication Server on this list yet. I am looking at installing a new Auth Server to provide strong user authentication. My question is just where do you put it? My thought I to have a separate network off the firewall for the server itself and nothing else. The management could be from the internal network and controlled by your FW policy and user authentication. I don't think that you would want that information traversing your internal network so that's why I would suggest the above configuration. This works great if you are only doing Internet/Extranet type authentication, but what do you do when you need to provide the same services for an inside service? Bandwidth, management and security measurements tell me the same configuration works well in most scenarios.... Your comments are welcome... Matt
-- Riccardo Fontana Intesis SECURITY LAB Phone: +39-2-671563.1 Via Settembrini, 35 Fax: +39-2-66981953 I-20124 Milano ITALY Email: rfontana () seclab com
Current thread:
- Placement of Strong Authentication Servers Matt McClung, CCSA/CCSE (Feb 01)
- Re: Placement of Strong Authentication Servers Adam Shostack (Feb 02)
- Re: Placement of Strong Authentication Servers Paul D. Robertson (Feb 02)
- Re: Placement of Strong Authentication Servers Riccardo Fontana (Feb 04)