If you're paranoid, disconnect the machines' (client server) primary interface from the internet. (Can't hack something you can't get to!)
If you're really paranoid? Install second NIC in both the server and the client, run a crossover cable between the two, and use a private IP address space.
If that's not good enough, write scripts on both the server and the client that changes the radius key once and hour and re-starts the freeradius daemon. (Suggestion would be something like a securID rotating key. Then again, there are other radius daemons that support Security Dynamics' products directly, so might want to switch to one of them.)
If THAT'S not good enough, have only one user machine, one radius client machine, and one radius server and put them all in the same white room with no external links whatsoever. Basically, go Mission Impossible on them; have everyone who needs to get to the information strip searched on entry and exit. Use multiple biometrics and passphrase challenges on entry and exit. Armed guards at the door. You know, the whole nine yards.
So how paranoid ARE you, anyway? :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
Monday is the term used to signify the eighth day of my work week.
Gary Barnden [EMAIL PROTECTED]
Sent by: [EMAIL PROTECTED]
12/22/01 06:48 AM
Please respond to freeradius-users
To:[EMAIL PROTECTED]
cc:
Subject:Paranoid Configuration
Hello all,
If one was really paranoid, how would one secure the communication between
a radius client and a server?
Thanks in advance
Gary
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html