Chris,
I mostly agree with you, dial-in access is roughly the same as
Internet access (the dial-in phone number can be found by war dialer
tools).
All accesses from the outside of your organization should be
controlled:
- providing user authentication (same strenght for Internet and
dial-in) using tokens and Radius/Tacacs+ server is a good idea
- providing user authorization (i.e. Joe may do that while Jane
may not do that) Radius/Tacacs++ server is also a good idea
- confidentiality, neither Internet nor dial-in provide it
==> use IPSec or SSL or SSH or ...
Dial-in is SLIGHTLY more secure in the following aspect:
- confidentiality attacks mostly need access to the physical wire
(cannot be done from the other side of the Earth)
- authentication when using ISDN when the calling phone number, CLID,
can be provided by the Telco operator
I also agree with your design except that I would place the Radius/Tacacs+
server on the internal network: ease of management, additional protection,
can be easily shared by firewall and dial-in access
Just my 0.01 EUR
-eric
At 10:46 01/09/1999 -0400, Chris Shenton wrote:
>On Wed, 1 Sep 1999 09:19:52 -0400, "Curt Hefflin" <[EMAIL PROTECTED]> said:
>
>Curt> We have a pretty good firewall protecting our network from the
>Curt> Internet. However, we have well over 200 users with dail-up
>Curt> access via an Acsend box with RADIUS authentication. What are
>Curt> some of the risks of having this type of access into our network
>Curt> and can these things be cracked.
>
>If someone can find out or guess your phone number, then daemon
>dialers can guess passwords and user names. This could be aided if
>outsiders can learn about your usernames (e.g. through your web pages,
>directories, or other public info). And most users choose poor
>passwords so password cracking programs won't have to be too
>sophisticated.
>
>At one site I worked on we separated the dialin gear from the internet
>and internal LAN so we could apply distinct rulesets and minimize
>attacks on the RADIUS servers, or from the dialin to the inside.
>
> Internet
> | |- Dial-in NASes
> Firewall -------+
> | |- RADIUS servers
> PrivateNet
>
>We then realized our greatest vulnerability was weak passwords and
>users sharing their passwords with friends, family, etc. So we got
>SecurID tokens and integrated that into RADIUS.
>
>I'd do the hardware token thing again but I'd look around at competing
>token products; their docs and support suck, and I gather they require
>tons of ports open if you want to leverage their ACE server (say) from
>inside the firewall.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
