In today's enterprise computer networks, credential sharing is a big problem for ISPs and companies with multiple locations. When an ISP runs RADIUS servers across different sites, new attack vectors appear. Users can share their login details with friends who then access the network from different locations. If your network design doesn't address this issue, users can defraud the ISP of significant revenue while gaining access to sensitive data. The solution we recommend is a session database, and here's why.
The challenge of managing multiple logins
Standard security methods often fail when dealing with logins from different locations. Like tracking both 400 meters and 800 meters runs to improve fitness, watching network traffic across multiple sites needs special methods to maintain both security and speed.
Post-processing user sessions
One solution is to check user sessions after they happen. The system can check hourly, or daily, to see if the same user is logged in at multiple sites. If the user is found to have multiple logins, they can be:
- Kicked offline right away
- Blocked temporarily
- Banned completely for repeat offenses
This solution works in the real world , but it isn't always the best choice. It creates a delay between the bad login and when it's caught, allowing unauthorized access for hours before action is taken.
Real-time cross-site checks
A better approach is to track sessions at each local site and check other sites when users try to log in. Each site checks every other site when a user attempts to connect. This trust network access approach treats every login as possibly suspicious until verified.
As one might expect, there are costs and benefits to this approach. Here we describe why this approach may be useful, how it is done, and what the pros and cons are.
Using a distributed session database
Many of our ISP clients need to ensure that credentials are not being shared with friends and family at multiple locations. Every time a new user session is initiated, the session database needs to be checked for any active sessions for those credentials in a different location.
Session databases should be copied and synced across all sites to create a complete view of who's logged in throughout the network. This setup enables instant verification without slowing things down.
How to set up distributed session databases
This diagram shows how a good setup works:
- Each site runs a session database cluster with three nodes (in this case, Redis nodes).
- Each node contains a main instance for the local site, as well as secondary instances for the other three nodes at the sister sites.
- Multi-factor authentication can be added for extra security.
A setup showing four sites with separate RADIUS servers and session databases
This design gives each site copies of the session databases at all the other sites, giving each data center an accurate view of all active sessions at all locations. The decentralized data strategy minimizes the performance impact of checking if credentials are already in use.
Hardware and software needs for tracking sessions
Setting up this solution requires the right tools:
- Database choice: Redis works well for tracking sessions because it's fast and can copy data easily.
- Network setup: Make sure there's enough bandwidth between sites.
- Backup systems: Build in redundancy in case one site goes down.
- Security measures: Encrypt all traffic between sites.
The benefits of distributed session databases (beyond stopping fraud)
While preventing fake logins is the main goal, this solution offers other benefits:
- Network segmentation: Control who accesses different parts of your network more easily.
- Better visibility: Gain a clearer understanding of how devices connect to your services.
- Faster troubleshooting: Quickly find login problems by seeing all user sessions.
- Protection from phishing: Spot unusual login patterns that might show stolen credentials.
Fraudulent credential sharing can represent significant revenue loss for an ISP or other service providers. A network design that can prevent this problem, without sacrificing stability, scalability or performance is essential to the health of the business.
Need more help?
InkBridge Networks has been at the forefront of network security for over two decades, tackling complex challenges across various protocols and infrastructures. Our team of seasoned experts has encountered and solved nearly every conceivable network security issue. If you're looking for insights from the architects behind some of the internet's most foundational authentication systems, you can request a quote for network security solutions here.
Related Articles
RADIUS protocol and password compatibility
In order for RADIUS authentication to work, user passwords need to be stored in a format that is understood by the authentication protocol used by the client. Unfortunately, not all protocols work with all password storage formats. This can be especially problematic with platforms that use proprietary formats or protocols.
Separating Authentication from your RADIUS Accounting server
Many ISP networks and enterprise environments handle both Authentication and Accounting functions through the same RADIUS servers and databases. While this configuration works well for small and low-load systems, there are compelling reasons to separate these critical network security functions.