Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Network design question

We plan to deploy a Cisco Secure ACS for the company. We are not sure if to put it behind of the firewall or in the DMZ zone. Does anyone have similar experience? Thx in advance!

4 REPLIES

Re: Network design question

There are plenty of possibilities to get aaa working regardless of the servers' location. This is a server that poses a high risk when compromised. Place it as secure as you can. I would always advise installation on the inside.

Regards,

Leo

New Member

Re: Network design question

Thank you!

New Member

Re: Network design question

For what you want to deploy this Cisco Secure ACS. As a radius server or VMPS server etc.

The placement of ACS server depends upon many different criterai.

Suppose if you want to configure dot1x protocol on your switches and authenticate though ACS. Then you might also want ACS to integrate with you Antivirus server, may be also patch managemet server. So the placement of ACS becomes more complicated.

Regards,

Suresh

New Member

Re: Network design question

Just thought I would chime in. In my past job we used Secure ACS servers to authenticate all VPN traffic, Equipment access authentication for Network Admins as well as HTTP and FTP authentication for clients at more than 200 edge sites.

As we deployed this we felt that this should be in the most secure segment of our network. Therefore we deployed it to our dedicated management VLAN. We deployed all high level network management tools to this VLAN including Openview and other critical control resources.

We secured this area through extended ACLs allowing only devices that needed to talk to the ACS or other components for that matter by specific ports and addresses. This segment also featured dedicated IDS to monitor it as well as ACLs dictating 16 total ip addresses that could be used to manage equipment in this segment.

While you may not require that level of protection I would avoid placing ACS in your DMZ. By their nature DMZs are less secure than you inside network. The only time I could see deploying and ACS or another direct authentication sources such as AD would be if external users are the only users that would be accessing this resources. Even then though you need to consider the ramifications of you authentication resource being compromised. Good luck with your ACS deployment.

140
Views
0
Helpful
4
Replies