Integrating RADIUS with an MSSP's remote-access VPN
In a recent SearchSecurity webcast, speaker Lisa Phifer, vice president and
owner of consulting firm Core Competence, addressed technological developments
in virtual private networks. Here Lisa answers a user-submitted question that
she didn't have time to answer during the broadcast. If you missed our webcast
New directions in VPNs or would like to review it, you may listen to the
recorded webcast on-demand or download the presentation without audio.
My company will be using an outside vendor to manage the VPN. I would like the
VPN to use RSA RADIUS for AAA. Does it matter if I use SSL or IPSec? What
problems should I expect?
A growing number of Managed Security Service Providers (MSSPs) will integrate
their remote-access VPN offering with customer-supplied authentication databases
and AAA servers. As you suggest, this is often done with RADIUS, chaining RADIUS
Access-Requests from the provider's AAA server to your own AAA server based on
the user's domain name and/or the VPN gateway they are attempting to access.
Problems (if any) usually relate to use of vendor-specific RADIUS attributes,
but as long as you stick to standard RADIUS attributes you will probably have
little trouble. You'll also want to make sure that your RADIUS shared secret is
long and RADIUS traffic flows over a relatively secure link between your AAA
server and your provider's AAA server.
It is quite common for both IPsec and SSL VPN products to behave as RADIUS
clients for user-level authentication, but the method used to carry user
credentials over the VPN differs. IPsec VPNs tend to use something like Extended
Authentication (XAUTH), where all users first authenticate with a group-shared
secret, then sub-authenticate the user with credentials like username/password.
There are known security risks associated with XAUTH; for more info, see Cisco's
Web site and John Pliam's paper. SSL VPNs often send user login traffic through
the SSL tunnel after first authenticating only the server (VPN gateway).
However, it's important for the client to really authenticate the SSL VPN server
and not just blindly accept the server's certificate; see this SANS paper for
more information.
--------------------------------------------------------------------------------
MORE INFORMATION ON VPNs:
Visit our Featured Topic, VPNs: IPsec vs. SSL, for an overview of VPN
technologies.
Lisa Phifer helps clear up VPN misconceptions in this tip, VPN fast facts: True
or False?
Browse through our collection of Best Web Links on VPNs for more resources on
the Web.