Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2920
Views
0
Helpful
2
Replies

AAA server placement. Inside or DMZ

castlei
Level 1
Level 1

‎10-29-2001 08:06 AM - edited ‎02-21-2020 09:57 AM

Hi all,

Sorry if this is has been discussed but if it has please just point me in the right direction.

I am assisting on a RAS install using SecureID tokens using a 3660 PRI and PIX 525. The current design places the AAA server in the DMZ with the 3660 and only controlling traffic on the 3660, i.e. allowing all traffic from the 3660 to the internal network.

My issue is a) wouldn't it be more secure to place the AAA server on the inside network and b) wouldn't it be sensible to extend the AAA control to the PIX in case the 3660 is compromised.

I am about to suggest this to the designer but I would really appreciate any feedback before i go stepping on any toes.

Thanks

Ian Castleman

Labels:
0 Helpful
2 Replies 2

p.jacques
Level 1
Level 1

‎10-29-2001 04:09 PM

a) OK, let's put it another way, would the designer put NT Primary Domian Controller on the DMZ? No, of course he wouldn't, because the DMZ is accessible by all, and the device holds secure information.

b) Not enough information to fully comment, but yes, but getting the pix involved in direct authentication is usually hard work. Although a simple filter rule allowing AAA traffic (tac\ radius) between the 3660 and the AAA server (which is on the internal LAN) should surfice.

0 Helpful

vipin
Level 1
Level 1

‎10-30-2001 01:38 AM

WEll the suggested approach is a quite meaningfull one, you might face problems when you are extending the AAA capabiliteies to further do direct authentication for the PIX.

0 Helpful
Customers Also Viewed These Support Documents