On Wed, 1 Sep 1999 09:19:52 -0400, "Curt Hefflin" <[EMAIL PROTECTED]> said:
Curt> We have a pretty good firewall protecting our network from the
Curt> Internet. However, we have well over 200 users with dail-up
Curt> access via an Acsend box with RADIUS authentication. What are
Curt> some of the risks of having this type of access into our network
Curt> and can these things be cracked.
If someone can find out or guess your phone number, then daemon
dialers can guess passwords and user names. This could be aided if
outsiders can learn about your usernames (e.g. through your web pages,
directories, or other public info). And most users choose poor
passwords so password cracking programs won't have to be too
sophisticated.
At one site I worked on we separated the dialin gear from the internet
and internal LAN so we could apply distinct rulesets and minimize
attacks on the RADIUS servers, or from the dialin to the inside.
Internet
| |- Dial-in NASes
Firewall -------+
| |- RADIUS servers
PrivateNet
We then realized our greatest vulnerability was weak passwords and
users sharing their passwords with friends, family, etc. So we got
SecurID tokens and integrated that into RADIUS.
I'd do the hardware token thing again but I'd look around at competing
token products; their docs and support suck, and I gather they require
tons of ports open if you want to leverage their ACE server (say) from
inside the firewall.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
