Sorry if this is has been discussed but if it has please just point me in the right direction.
I am assisting on a RAS install using SecureID tokens using a 3660 PRI and PIX 525. The current design places the AAA server in the DMZ with the 3660 and only controlling traffic on the 3660, i.e. allowing all traffic from the 3660 to the internal network.
My issue is a) wouldn't it be more secure to place the AAA server on the inside network and b) wouldn't it be sensible to extend the AAA control to the PIX in case the 3660 is compromised.
I am about to suggest this to the designer but I would really appreciate any feedback before i go stepping on any toes.
a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.
b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...