RSA, Radius and Active Directory

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Ok folks, I need some suggestions and advice. I'm the lone ranger (just started) for a small software company (~100 employees), and we need to secure our network since we deal in financial stuff. Currently, we have 2 DC's (both GC's), and roughly 90 Vista and 10 XP desktops and lappies. VPN is a growing need here (as we grow), and we currently use Cisco VPN client into a Pix 506 (IPSec/UDP), using a group password (it sucks, btw). In addition, we also have 2 wireless AP's (WRT54GS) with ridiculous WEP.

My boss has tasked me with incorporating RSA SecurID into AD, and wants to fix our frustratingly random VPN issue. We have a 5505 that we'll swap the 506 with, and my thought is to move to SSL VPN to be rid of the Cisco VPN client (or use both, utilizing the SSL for the problematic clients). Then, use an IAS for RADIUS, and having everyone authenticate through that, both the wireless and the VPN. Question -- is it considered good practice to run IAS on DC's? I have a few servers sitting, and figured to use them and avoid piling too many roles onto them. However, if properly backed up, I would think that authentication requests would be handled far quicker this way. What say you?

Now, throw RSA into the mix -- anyone dealt with this in production? Common practice is to run a separate RSA server, and the research I've done seems to allow the 5505 and AD to play nice. What are some of your experiences?

I don't mean to sound harsh, but I'm looking for experience here, not randomly googled results. I've searched every doc I can find, and I'm overloaded with 'documented' info, just very light on experience. TIA

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

At work we currently run the RSA server separately and integrates nicely with AD no problems whatsoever. I think you need to configure a group in your firewall for group membership alongside AD.

Our users then use Citrix to access secure web site using their AD logon credentials.

This should be an interesting project, so lets know how you get on. Cheerio

 

I belive I resemble that remark.

You might want to send ryan (phoenix on here) a link to this thread fortch. He is a guru on so many different levels of technologies he might be able to help with some of that. You might also want to copy and paste this into a email and send it to Tom and Jim. Specially Tom, he has always worked on different platforms. Good luck with this.

 

The 5505 is a nice product and will play well with AD. We use quite a few 5xx and 55xx firewalls and numerous clients, and I have found the Cisco vpn software to be pretty good. We rarely use SSL vpn's, but sometimes use L2tp which works quite well.

I would strongly recommend restricting the access vpn users have as much as possible, depending on your company policies.

Spice_Weasel

 

Thanks guys, this company is very new, and we've grown leaps and bounds in the past few months. 4 years ago, it was a 3 man team, and this network is very young as well. Why they hired me is anyone's guess, but my boss likes hard work and honesty over anything else. I told him I'd learn whatever I needed to get the job done.

Anyways, I'm sure things will play nice, and there's plenty of documentation available. I guess I'm looking for things to avoid, or what not to do, and that's where experience speaks the loudest. I appreciate the encouragement, and will keep this thread updated as things progress. We're expanding further into the building we're in, and this lone IT guy is turning out to be a moving company as well. Go figure.

I think the first step is to swap out for the 5505, and cure the VPN issue (hopefully). I agree on locking them down as well, but some of the users are higher on the food chain than I am Then, I think the next step (or maybe simultaneously) is firing up IAS, to authenticate everyone, particularly the wireless network. Our Pix is handling DHCP right now, and I would like to pull it in to AD for redundancy and security -- ideally, I wanted each DC to have DNS and DHCP, but it looks like IAS may be there as well. Still, I have to do some homework, cause the boss is considering a supernetted setup, so I'm not sure how that's gonna work. We want to limit the broadcast domains and segment, since we are continuing to grow.

Thanks again folks!

 

I've integrated SSL VPN with RADIUS and AD, but not with SecurID. Sounds interesting!

 

I've found that the Cisco VPN client is rather buggy with Vista, and was considering using the SSL VPN to test out access for the 2 users that have issues getting it running. Other than that, it works great for most people here. Believe it or not, I have zero Cisco experience, and we rely on the data center (in the same building) to manage our PIX, for the time being. Yet another thing on my plate.

What do you think of the ASDM gui? I know most Cisco peeps disdain that kind of stuff, but the RSA people configure their stuff with it. I guess I'll find out

 

We don't have many Vista clients, but so far we haven't had any trouble with them. As for the GUI, I am a dedicated CLI user, but the GUI is pretty good - quite usable, a useful tool for configuring the ASA. That said, the cli is of course the way to go in the long run, but for starting out the ASDM will do well.

I hope you have the security plus bundle 5505, it is worth it in your situation.

Some things to consider - plan your vlans and dmz now, and consider trunking the 5505 to your switch. Restrict outbound traffic as much as possible - I believe it is just as important to control what goes out as it is to control what comes in. Definetly move DHCP to the servers. A syslog/snmp box would be nice - any old pc will do and the information gathered can be very handy. I would also strongly suggest securing your internal network, but that depends a lot on the switches you have. Many companies ignore securing their internal network, but it is worth it if you can.

Spice_Weasel