"Marcus S. Sutliff" <msutliff @
internetmci .
com> writes:
> I think we could all benefit by discussing the philosophy behind remote
> access. Do you place your remote access system(s) into your DMZ
> (De-militarized Zone is between the firewall and border router or
> outside network), and perform RADIUS authentication through the firewall
> or do you put your remote access system within your network and perform
> RADIUS authentication on the internal LAN (behind the firewall)? Or, do
> you install another Ethernet adapter into the firewall (multi-home) so
> that the remote access system is on it's own separate network -- or on
> it's own DMZ, and considered as an untrusted device.
We're trying to keep our options open with the following architecture
(don't you just love ASCII art?)
Internet
|
| |
+---+ Victim
| | Net
|
--+---+---+--
| |
Comm | | | | Public
Servers +-------FW FW--+ Services
| | | | Net
Auth2 | | |
----+-------+--
Private Net
:
Auth1
Auth1 contains the master auth DB; data is replicated to Auth2 to
protect the original sources but provide info if Auth1 is
unreachable. We're using RADIUS and now prototyping RADIUS plus
SecurID.
Putting the Comm Servers off a separate FW interface allows us to set
rules to make it effectively external/untrusted where we'd require
strong auth to get to the internal net, or we can treat it as trusted
where dialup users can trivially access private resources. Right now
we do the latter, but we're hoping to use VPN type SW for dialup users
to do this right.
References:
|
|
