Banking on RADIUS Server Security

A major financial institution uses Interlink’s RAD-Series RADIUS Servers with its Advanced Policy Engine to authenticate thousands of contractors who connect to their network via a VPN. Through the RADIUS server, they control which users and applications can access the network, providing a secure end-to-end network environment that is easy to manage.  The company takes full advantage of the features and extensibility of the RADIUS server, including wireless network security to make the most of their investment.

Project Overview

The goal for the project was to allow contractors to securely access certain bank systems via a VPN.  The RADIUS server provides the back-end authentication and authorization security functions.  Their primary network infrastructure components include Cisco VPN concentrators and PIX firewalls.

The Challenge

The challenge was finding a high-end RADIUS server that could run on Linux, authenticate against multiple data sources, interface seamlessly  with a VPN, and offer custom policy controls for time-based access control.  Freeware offerings like freeRADIUS were no an option in the commercial environment because of the lack of support, service, and time required to compile, test, and deploy these rudimentary solutions.

The Solution

After investigating the features and extensibility of the RAD-Series RADIUS Server, IT Management understood how they could leverage the RADIUS Server Advanced Policy features for other projects as well.  They extended the application to include other firewall and network security devices that use RADIUS authentication and authorization to provide user credentials, passwords, specific account information and status.

The RADIUS server also supported their wireless LAN initiative with 802.1x authentication via a EAP. The RADIUS server provided session configuration enhancements for advanced access control and data security.

Why Interlink's RADIUS Server was Selected

The bank chose the RAD-Series RADIUS Server for the following key features:

• Advanced Policy Engine.  The RADIUS Server Advanced Policy Engine makes it easy to administer, manage, and control access to network resources. The IT team wanted to implement policy controls to restrict each contractor to the network based on certain time-of-day requirements, maximum session times, and network usage. 
• The Ability to Choose Multiple Data Sources for RADIUS Authentication.  Since the IT team never knows in advance what they might be told to authenticate against on new projects, this flexibility was key. The RADIUS server supports Kerberos, LDAP, RADIUS proxy, UNIX password, RSA SecurID, and MS Active Directory databases. 
• Linux Platform Support.  The IT team has based their entire security platform on Linux for which the RAD-Series RADIUS Server is ideally suited.
• Tunnel Authorization and Extensive RADIUS VSA (Vendor-Specific Attributes) Support.  “Loads of features here, many very relevant to what I am trying to accomplish with the Cisco VPN equipment,” said the Senior Network Security Engineer.  The RADIUS server authorizes and configures tunnel users, and has a very flexible scheme to define VSAs.
• Web-Based GUI.  The RADIUS server web-based administrator simplifies server setup, maintenance, and monitoring.  It is ideal for people who might not be familiar with command line configuration file editors.