[prev in list] [next in list] [prev in thread] [next in thread]
List: cistron-radius
Subject: Re: Excess Usage in detail file
From: Jeff Miller <jeffm () dynamite ! com ! au>
Date: 1999-02-25 22:39:35
[Download RAW message or body]
On Fri, Feb 26, 1999 at 12:35:22AM +0900, cfb wrote:
> a couple of questions....
A couple!?
> What's you internal network architecture like?
>
> Do seperate hosts via a switch or micro-segmentation from your radius server and remote access
> server, or is everything on the same segment? Do you keep the radius server on the same
> segment as your remote access server?
all servers are connected via switches.
> Do you have your boxen (routers, NT, unix, whatever) configured to ignore re-directs?
can you clarify?
> What type of remote access servers do you have?
Cisco as5200s
> Are those remote access server flaished/loaded up to the latest software load revision (yes,
> even the v.34 boxen which probably run best under a MUCH more vulnerable, older load)? Are
> you sure?
IOS (tm) 5200 Software (C5200-I-L), Version 11.2(15)P, RELEASE SOFTWARE (fc1)
> Do you use any of the servers in your core architecture to provide shell accounts for your
> users or for heavy in-house personal use?
No.
> Do you keep users on the same machine that runs Radius or do you have a quaranteened Radius
> server?
quaranteened.
> Have you noticed anything unusual in your log files (do you run tripwire to know when you
> might NOT find anything unusual in your log files?)?
No, but then again do i ever get a chance to inspect them. All of you know how time gets
sucked away.
> Do you prevent simultanious logins?
Yes.
> Do you restrict access by huntgroup?
Yes.
> Do you keep passwords in clear text or does the cracker need to run them against a dictionary
> if they haven't sniffed the plaintext already?
In the accounts database, ever tryed to convince people about security.
> Do you have a strictly DEFAULT Radius sever configuration???
Yeap.
> Do you have caller ID turned on your hunt groups. Do you log it? Do you authenticate by it?
> Caller ID isn't fool proof, but it is the first sign of an amature. How many people do you
> know that haul their desk top out to the local motel 6 for an evening of uninterupted
> hacking... ok, apart from close friends?
It's logged when available. Don't know about other countries but here Customers can turn
caller id off at the phone on a call by call basis, hence my interest in enforcing the use
of caller id.
> Do you run realms, proxy authentication or any other centralized/distributed/external
> authentication scheme? Do you provide a roaming program for your uers? Do your
> authentications traverse any external networks with or without encryption (besides the phone
> company, obviously)?
No.
> Cleaning up after a Radius compromise isn't a pretty thing. Turning on Caller ID and
> authenticating by it (or at a minimum, sending phone# discrepency alearts) can go a long way
> towards minimizing the impact. Have a good working relationshitp with the local operators
> when doing reverse phone# lookups. Though, if the bad guy is good and your customer base is
> large, you're screwed (i.e. unless you get your entire customer base on new authentication
> passwords, you'll be intermitently pissing on fires for a long time). If you find mystry
> phone numbers originating for the local porta-potty cleaning service, it's time to get the
> phone company more involved.
>
> If you're not completely paranoid, you're not paranoid enough.... because THEY are after
> YOU... and your little users too! (appologies to Frank whatz-his-name)
Oh, I'm paranoid when it comes to security
> whatever the case, good luck....
Thanks.
Jeff.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic