RE: Re: Loadbalancing and failover using different servers
Juan Perez wrote:
I want to implement a RADIUS load-balancing and failover scenario using FreeRadius and Cisco ACS. The idea I have in mind is to have these two servers answering to RADIUS requests in a round-robin fashion and should one of them for some reason go down, the other one would take care of answering to the RADIUS requests.
You will need a load balancer in front of the two servers.
Have any of you implemented such an scenario, using FreeRadius together with another RADIUS server from a different vendor? If so, what are the main problems you found doing this (incompatibility, high-maintenance costs, effort, etc)?
I'd be very glad to hear from you as to why such an scenario make/doesn't make sense.
I don't see why you would put two different servers into one load-balance pool. And even worse, pairing a horrible server with a great one!
Alan DeKok.
Hi Alan, Ok, it is actually two scenarios, one with the load-balancer, and another one with the failover, but I'm more interested in the failover part. You don't have to convince me of FreeRadius being the best RADIUS server around, that I know already but the idea behind pairing FreeRadius with a horrible server is as follows. Let's suppose that I have two servers running the latest and shiniest version of FreeRadius and for some reason there is a bug in FreeRadius that causes the server to crash when a specially crafted RADIUS packet is received. Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets. If I have two servers from different vendors, I could thus hopefully guarantee that at least the horrible server would continue working while an attack targeted at FreeRadius is going on. The horrible server doesn't need to be necessarily a Cisco ACS, any other horrible server would do it (Microsoft IAS, Steel-Belted, etc). So, does it make sense now or is the idea too stupid to be even considered? Juan
Juan Perez wrote:
Let's suppose that I have two servers running the latest and shiniest version of FreeRadius and for some reason there is a bug in FreeRadius that causes the server to crash when a specially crafted RADIUS packet is received.
Hmm... that's hard to do: http://freeradius.org/security.html Notice anything about 2.x on that page?
Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets.
Even if that did happen, you would probably notice.
If I have two servers from different vendors, I could thus hopefully guarantee that at least the horrible server would continue working while an attack targeted at FreeRadius is going on. The horrible server doesn't need to be necessarily a Cisco ACS, any other horrible server would do it (Microsoft IAS, Steel-Belted, etc).
So, does it make sense now or is the idea too stupid to be even considered?
Or, you could believe that maintaining the same configuration in two completely independent products is a huge PITA, and not worth the effort of "maybe" avoiding an attack. The FreeRADIUS source code is regularly scanned with Coverity, LLVM, and a few others. Nothing has come up in the last 3 years, for 2.x. Alan DeKok.
Let's suppose that there is also an attacker (a disglunted employee maybe?), who knows about this bug and decides to attack my FreeRadius servers, so he starts sending these specially crafted packets to each server and since the two servers have the same bug, both of them would die upon receiving these packets.
I suggest using network-based firewall or even a kernel-based firewall to limit what IP addresses are allowed to talk to your radius server. While it's not 100% perfect, it should at least limit your exposure to hosts you know about and hopefully trust. Managing two platforms is very tough especially given the flexibility FreeRadius gives you. Not all platforms will offer this. You'd be begging to put yourself in a situation where both platforms can't perform the same tasks the same way. (in my opinion) Regards, Jason P Hodges Senior Network and Systems Architect
participants (3)
-
Alan DeKok -
Jason Hodges -
Juan Perez