Phil Mayers wrote:
> I'm not entirely sure I buy that it ensures only the outer server is
> affected; once compromised, the outer server can be used to send
> arbitrary UDP packets to the inner server since the sockets are already
> open. But I guess the same could be said of any perimeter defenc
On 03/24/2012 10:26 PM, Brian Julin wrote:
Can you explain what threat model you think this addresses?
It limits the exposed fuzzable surface. Any vulnerabilities present or
introduced
in the low level RADIUS packet processing compromise only the external
server. The packets that reach the
Phil Mayers [p.may...@imperial.ac.uk] wrote
> I'm curious about what you mean here. I don't see the difference between
> a single server performing attribute filter & auth, versus two separate
> processes.
>
> Can you explain what threat model you think this addresses?
It limits the exposed fuzz
On 03/23/2012 04:02 PM, Brian Julin wrote:
Not sure, but you should consider running non-virtual instances
(not that hard to do) and using privilage separation such that
there is little potential for exposure of your internal authentication
structure or internally-utilized crypto material to an e
On 03/23/2012 02:12 PM, mark.le...@stfc.ac.uk wrote:
isn’t possible, do I have any other options? Would a solution be to make
the virtual servers listen on two different IP addresses, and configure
the NAS to use a different RADIUS server IP address for each SSID?
That is the common solution,
mark.le...@stfc.ac.uk wrote:
> I may not have provided enough detail, but am I doing something that
> obviously won’t work? I don’t know if it’s possible to internally proxy
> a request more than once, e.g. to two different virtual servers.
It's not. It will likely work (eventually) in 3.0.
Not sure, but you should consider running non-virtual instances
(not that hard to do) and using privilage separation such that
there is little potential for exposure of your internal authentication
structure or internally-utilized crypto material to an externally
presented service.
Also, it is po
7 matches
Mail list logo