Allowing any NAS to connect to my radiusd.
Guy.Davies at telindus.co.uk
Fri Jul 15 13:16:01 CEST 2005
> > The best method is to have individual clients listed with *unique*
> > keys per client (yes, I know this is a real pain but if you want
> > security this is about the best you can do with the limited
> > afforded by the shared key).
> I know how things work, I was just wondering about the
> approach since that would make some things easier for me.
> What other risks does one run when others to query your
> radiusd ? I dont think dictionary checks are that useful
> since passwords and username are all pretty long and use
> special characters. Could this have a more serious impact on
> the server like DOS or such ?
Yes, I believe it would make DoS easier. Since a server can reject
*any* request that comes from an "unknown" client, so long as the server
can run the authentication check (calculate an MD5 hash) quickly enough,
then a DoS will be less effective. If the calculation of an MD5 hash
reveals an "authenticated" client, then the server must allocate
resource to actually carry out the requested action. If sufficient
requests are targetted at your server, it will have no resource to
handle valid requests. The secret key per client is far from ideal (see
some of the discussions about the benefits of DIAMETER over the last few
days) but opening up your server like this is very unwise.
I'd also say that while you may have excellent username and password
selection criteria, opening up your system like this would simply remove
one extra hurdle an attacker would have to scale to start obtaining
information on your network.
This e-mail is private and may be confidential and is for the intended recipient only. If misdirected, please notify us by telephone and confirm that it has been deleted from your system and any copies destroyed. If you are not the intended recipient you are strictly prohibited from using, printing, copying, distributing or disseminating this e-mail or any information contained in it. We use reasonable endeavours to virus scan all e-mails leaving the Company but no warranty is given that this e-mail and any attachments are virus free. You should undertake your own virus checking. The right to monitor e-mail communications through our network is reserved by us.
More information about the Freeradius-Users