Center for Internet Security - Call for Participation for FreeRADIUS Benchmark

Alan DeKok aland at deployingradius.com
Fri May 11 11:16:57 CEST 2007


Dave Shackleford wrote:
> We are about to begin the consensus process for a FreeRADIUS security
> benchmark. Time commitments are minimal, all you need to do is go and
> sign up on the mailing list and provide some input to the group on the
> benchmark draft when it's released. 

  Looking at the "bind" analysis, 25% is legal text, saying "use this at
your own risk".  About 25% of the rest is definitions of DNS.  The
remainder is a short collection of how-to's, that describe how to turn a
default insecure configuration of bind into a more secure one.

  The default installation of FreeRADIUS is secure.  There's very little
else anyone needs to do to make it secure.

  We are interested in reviewing the document once it's ready for
release.  But I do not have time to participate in the process.  In
addition, FreeRADIUS already contains documentation about how to
configure the server.

  Perhaps the most telling portion of your web site is:

...
The annual license fee is $3,000 per consultant, except in the case of
Category 2 CIS Members (Consultants, Auditors, and MSP's) whose annual
membership investment entitles them to obtain the Commercial Use License
for any number of employees a no additional cost.
...

  If we participate in creating a FreeRADIUS document for CIS, will we
share in any revenue generated from it?  If so, great.  If not, then
there's really no reason for us to participate in a process that makes
you money, and costs us money.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list