1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

RSA, Radius and Active Directory

Discussion in 'Computer Security' started by fortch, May 22, 2008.

  1. fortch

    fortch Kilobyte Poster

    408
    21
    35
    Ok folks, I need some suggestions and advice. I'm the lone ranger (just started) for a small software company (~100 employees), and we need to secure our network since we deal in financial stuff. Currently, we have 2 DC's (both GC's), and roughly 90 Vista and 10 XP desktops and lappies. VPN is a growing need here (as we grow), and we currently use Cisco VPN client into a Pix 506 (IPSec/UDP), using a group password (it sucks, btw). In addition, we also have 2 wireless AP's (WRT54GS) with ridiculous WEP.

    My boss has tasked me with incorporating RSA SecurID into AD, and wants to fix our frustratingly random VPN issue. We have a 5505 that we'll swap the 506 with, and my thought is to move to SSL VPN to be rid of the Cisco VPN client (or use both, utilizing the SSL for the problematic clients). Then, use an IAS for RADIUS, and having everyone authenticate through that, both the wireless and the VPN. Question -- is it considered good practice to run IAS on DC's? I have a few servers sitting, and figured to use them and avoid piling too many roles onto them. However, if properly backed up, I would think that authentication requests would be handled far quicker this way. What say you?

    Now, throw RSA into the mix -- anyone dealt with this in production? Common practice is to run a separate RSA server, and the research I've done seems to allow the 5505 and AD to play nice. What are some of your experiences?

    I don't mean to sound harsh, but I'm looking for experience here, not randomly googled results. I've searched every doc I can find, and I'm overloaded with 'documented' info, just very light on experience. TIA
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  2. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    At work we currently run the RSA server separately and integrates nicely with AD no problems whatsoever. I think you need to configure a group in your firewall for group membership alongside AD.

    Our users then use Citrix to access secure web site using their AD logon credentials.

    This should be an interesting project, so lets know how you get on. Cheerio:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  3. Mitzs
    Honorary Member

    Mitzs Ducktape Goddess

    3,282
    73
    152
    I belive I resemble that remark. :biggrin:oops:

    You might want to send ryan (phoenix on here) a link to this thread fortch. He is a guru on so many different levels of technologies he might be able to help with some of that. You might also want to copy and paste this into a email and send it to Tom and Jim. Specially Tom, he has always worked on different platforms. Good luck with this.
     
    Certifications: Microcomputers and network specialist.
    WIP: Adobe DW, PS
  4. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    The 5505 is a nice product and will play well with AD. We use quite a few 5xx and 55xx firewalls and numerous clients, and I have found the Cisco vpn software to be pretty good. We rarely use SSL vpn's, but sometimes use L2tp which works quite well.

    I would strongly recommend restricting the access vpn users have as much as possible, depending on your company policies.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  5. fortch

    fortch Kilobyte Poster

    408
    21
    35
    Thanks guys, this company is very new, and we've grown leaps and bounds in the past few months. 4 years ago, it was a 3 man team, and this network is very young as well. Why they hired me is anyone's guess, but my boss likes hard work and honesty over anything else. I told him I'd learn whatever I needed to get the job done.

    Anyways, I'm sure things will play nice, and there's plenty of documentation available. I guess I'm looking for things to avoid, or what not to do, and that's where experience speaks the loudest. I appreciate the encouragement, and will keep this thread updated as things progress. We're expanding further into the building we're in, and this lone IT guy is turning out to be a moving company as well. Go figure.

    I think the first step is to swap out for the 5505, and cure the VPN issue (hopefully). I agree on locking them down as well, but some of the users are higher on the food chain than I am :blink Then, I think the next step (or maybe simultaneously) is firing up IAS, to authenticate everyone, particularly the wireless network. Our Pix is handling DHCP right now, and I would like to pull it in to AD for redundancy and security -- ideally, I wanted each DC to have DNS and DHCP, but it looks like IAS may be there as well. Still, I have to do some homework, cause the boss is considering a supernetted setup, so I'm not sure how that's gonna work. We want to limit the broadcast domains and segment, since we are continuing to grow.

    Thanks again folks!
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  6. BosonMichael
    Highly Decorated Member Award

    BosonMichael Yottabyte Poster

    19,136
    462
    374
    I've integrated SSL VPN with RADIUS and AD, but not with SecurID. Sounds interesting!
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  7. fortch

    fortch Kilobyte Poster

    408
    21
    35
    I've found that the Cisco VPN client is rather buggy with Vista, and was considering using the SSL VPN to test out access for the 2 users that have issues getting it running. Other than that, it works great for most people here. Believe it or not, I have zero Cisco experience, and we rely on the data center (in the same building) to manage our PIX, for the time being. Yet another thing on my plate.

    What do you think of the ASDM gui? I know most Cisco peeps disdain that kind of stuff, but the RSA people configure their stuff with it. I guess I'll find out :biggrin
     
    Certifications: A+,Net+,Sec+,MCSA:Sec,MCSE:Sec,mASE
  8. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    We don't have many Vista clients, but so far we haven't had any trouble with them. As for the GUI, I am a dedicated CLI user, but the GUI is pretty good - quite usable, a useful tool for configuring the ASA. That said, the cli is of course the way to go in the long run, but for starting out the ASDM will do well.

    I hope you have the security plus bundle 5505, it is worth it in your situation.

    Some things to consider - plan your vlans and dmz now, and consider trunking the 5505 to your switch. Restrict outbound traffic as much as possible - I believe it is just as important to control what goes out as it is to control what comes in. Definetly move DHCP to the servers. A syslog/snmp box would be nice - any old pc will do and the information gathered can be very handy. I would also strongly suggest securing your internal network, but that depends a lot on the switches you have. Many companies ignore securing their internal network, but it is worth it if you can.

    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE

Share This Page

Loading...