|
Posted by Phillip Windell on June 16, 2005, 1:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I would say it goes on the Internal side. But it may make a difference if
you are talking about a MS Based RADIUS Server or one from a third party.
Also, as with most things,...there is probably more than one way to do it.
You would have to analyse the pros and cons of each method and decide which
is more appropriate in a particular given situation.
Just beware of the excessive "paranoia" of some people,...they can lead you
down a long winding complex path "in the name of security" that does nothing
more than make things so overly complex that you can not manage the
system,...or worse yet, don't understand the system. This in itself can
cause you to make mistakes which create even more new "risks" besides the
ones your were trying to avoid in the first place. Stay within your
"means", stay within what you can understand and manage dependably.
--
Phillip Windell [MCP, MVP, CCNA]
www.wandtv.com
> All network diagrams I've seen so far indicates that a RADIUS server
> (Windows IAS, ACS, or whatever) should be placed in the 'internal' network
> and establish communications with DC's there. Then if an external user
> attempts to connect via VPN (DMZ), then I would allow only the ports
> necessary from the VPN concentrator to the RADIUS server and
> pre-authenticate users at that point.
>
> I have a security guy fellow here that tells me that the RADIUS server
> should be placed in the "DMZ" instead. Does this make sense at all ?
>
>
| 
XML site map