[prev in list] [next in list] [prev in thread] [next in thread] 

List:       cistron-radius
Subject:    Re: Excess Usage in detail file
From:       Jeff Miller <jeffm () dynamite ! com ! au>
Date:       1999-02-25 22:39:35
[Download RAW message or body]

On Fri, Feb 26, 1999 at 12:35:22AM +0900, cfb wrote:
> a couple of questions....

A couple!?
 
> What's you internal network architecture like?
> 
> Do seperate hosts via a switch or micro-segmentation from your radius server and remote access
> server, or is everything on the same segment?  Do you keep the radius server on the same
> segment as your remote access server?

all servers are connected via switches.
 
> Do you have your boxen (routers, NT, unix, whatever) configured to ignore re-directs?

can you clarify?

> What type of remote access servers do you have?

Cisco as5200s

> Are those remote access server flaished/loaded up to the latest software load revision (yes,
> even the v.34 boxen which probably run best under a MUCH more vulnerable, older load)?  Are
> you sure?

IOS (tm) 5200 Software (C5200-I-L), Version 11.2(15)P,  RELEASE SOFTWARE (fc1)

> Do you use any of the servers in your core architecture to provide shell accounts for your
> users or for heavy in-house personal use?

No.

> Do you keep users on the same machine that runs Radius or do you have a quaranteened Radius
> server?

 quaranteened.
 
> Have you noticed anything unusual in your log files (do you run tripwire to know when you
> might NOT find anything unusual in your log files?)?

No, but then again do i ever get a chance to inspect them. All of you know how time gets
sucked away.

> Do you prevent simultanious logins?

Yes.

> Do you restrict access by huntgroup?

Yes.
 
> Do you keep passwords in clear text or does the cracker need to run them against a dictionary
> if they haven't sniffed the plaintext already?

In the accounts database, ever tryed to convince people about security.

> Do you have a strictly DEFAULT Radius sever configuration???

Yeap.

> Do you have caller ID turned on your hunt groups.  Do you log it?  Do you authenticate by it?
> Caller ID isn't fool proof, but it is the first sign of an amature.  How many people do you
> know that haul their desk top out to the local motel 6 for an evening of uninterupted
> hacking... ok, apart from close friends?

It's logged when available. Don't know about other countries but here Customers can turn
caller id off at the phone on a call by call basis, hence my interest in enforcing the use
of caller id.
 
> Do you run realms, proxy authentication or any other centralized/distributed/external
> authentication scheme?  Do you provide a roaming program for your uers?  Do your
> authentications traverse any external networks with or without encryption (besides the phone
> company, obviously)?

No.

> Cleaning up after a Radius compromise isn't a pretty thing.  Turning on Caller ID and
> authenticating by it (or at a minimum, sending phone# discrepency alearts) can go a long way
> towards minimizing the impact.  Have a good working relationshitp with the local operators
> when doing  reverse phone# lookups.  Though, if the bad guy is good and your customer base is
> large, you're screwed (i.e. unless you get your entire customer base on new authentication
> passwords, you'll be intermitently pissing on fires for a long time).  If you find mystry
> phone numbers originating for the local porta-potty cleaning service, it's time to get the
> phone company more involved.
> 
> If you're not completely paranoid, you're not paranoid enough.... because THEY are after
> YOU... and your little users too! (appologies to Frank whatz-his-name)

Oh, I'm paranoid when it comes to security

> whatever the case, good luck....

Thanks.

Jeff.

[prev in list] [next in list] [prev in thread] [next in thread]