Firewall Wizards mailing list archives
RE: Radius access from provider to internal MS ISA Server
From: Paul Robertson <proberts () patriot net>
Date: Fri, 5 Jul 2002 11:53:54 -0400 (EDT)
On Fri, 5 Jul 2002, Ben Nagy wrote:
Your ISP sniffing the CHAP process doesn't lose you the game straight away. CHAP is designed to be fairly resistant to that sort of thing. If
It was my impression that the ISP was performing the CHAP authentication, then relaying that to the RADIUS server- if that's not the case, then I'd be less worried, but if it is, then surely the ISP has the CHAP secret (forgive me, it's been a number of years since I've looked at the protocol in any depth, so let me know if I'm out in left field...,) or can change to a less secure authentication method and relay that?
your Radius box is giving the challenges then as long as they're "unique in space and time" and not predictable then you're probably safe from everything but a password guessing attack (modulo MD5 attacks). In other words, use good passwords - but you probably didn't need to be told that.
IMO, strong passwords are dead- dictionaries are too good now, if you're using reusable passwords, you should assume compromised credentials at some level, esepcially if a third party gets to participate.
The problem is worked around by the server never responding to a challenge from an unauthenticated person (which also stops differential
In this case though, the server is owned by a third pary, surely that changes the game? Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Radius access from provider to internal MS ISA Server Christoph Steigmeier (Jul 04)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 04)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 05)
- RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
- Re: Radius access from provider to internal MS ISA Server Kyle R. Hofmann (Jul 05)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 05)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 07)
- RE: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 07)
- RE: strong passwords (was Radius/MS ISA stuff) Ben Nagy (Jul 08)
- RE: strong passwords (was Radius/MS ISA stuff) Paul Robertson (Jul 08)
- Re: strong passwords (was Radius/MS ISA stuff) Barney Wolff (Jul 08)
- RE: Radius access from provider to internal MS ISA Server Ben Nagy (Jul 05)
- RE: strong passwords (was Radius/MS ISA stuff) Bill Royds (Jul 08)
- Re: Radius access from provider to internal MS ISA Server Paul Robertson (Jul 04)
- RE: Radius access from provider to internal MS ISA Server R. DuFresne (Jul 06)
- RE: Radius access from provider to internal MS ISA Server Bill Royds (Jul 06)