10-29-2001 08:06 AM - edited 02-21-2020 09:57 AM
Hi all,
Sorry if this is has been discussed but if it has please just point me in the right direction.
I am assisting on a RAS install using SecureID tokens using a 3660 PRI and PIX 525. The current design places the AAA server in the DMZ with the 3660 and only controlling traffic on the 3660, i.e. allowing all traffic from the 3660 to the internal network.
My issue is a) wouldn't it be more secure to place the AAA server on the inside network and b) wouldn't it be sensible to extend the AAA control to the PIX in case the 3660 is compromised.
I am about to suggest this to the designer but I would really appreciate any feedback before i go stepping on any toes.
Thanks
Ian Castleman
10-29-2001 04:09 PM
a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.
b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.
10-30-2001 01:38 AM
WEll the suggested approach is a quite meaningfull one, you might face problems when you are extending the AAA capabiliteies to further do direct authentication for the PIX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide