RE: Radius access from provider to internal MS ISA Server

[Paul Robertson <proberts () patriot net>]

On Fri, 5 Jul 2002, Ben Nagy wrote:

> Your ISP sniffing the CHAP process doesn't lose you the game straight
> away. CHAP is designed to be fairly resistant to that sort of thing. If

It was my impression that the ISP was performing the CHAP authentication, 
then relaying that to the RADIUS server- if that's not the case, then I'd 
be less worried, but if it is, then surely the ISP has the CHAP secret 
(forgive me, it's been a number of years since I've looked at the 
protocol in any depth, so let me know if I'm out in left field...,) 
or can change to a less secure authentication method and relay that?

> your Radius box is giving the challenges then as long as they're "unique
> in space and time" and not predictable then you're probably safe from
> everything but a password guessing attack (modulo MD5 attacks). In other
> words, use good passwords - but you probably didn't need to be told
> that. 

IMO, strong passwords are dead- dictionaries are too good now, if you're 
using reusable passwords, you should assume compromised credentials at 
some level, esepcially if a third party gets to participate.

> The problem is worked around by the server never responding to a
> challenge from an unauthenticated person (which also stops differential

In this case though, the server is owned by a third pary, surely that 
changes the game?

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () patriot net      which may have no basis whatsoever in fact."
probertson () trusecure com Director of Risk Assessment TruSecure Corporation

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards