North American Network Operators Group|
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Re: ABOVE.NET SECURITY TRUTHS?
- From: Hank Nussbacher
- Date: Sun Apr 30 02:31:06 2000
At 15:06 28/04/00 -0600, Alec H. Peterson wrote:
>Paul Froutan wrote:
>> I don't think you can. However, I use TACACS on all my switches and
>> routers. From what I know, TACACS passwords are encrypted using the key on
>> your network devices and the TACACS server. So, that, in combination with
>> a private management LAN not accessible by your customers should lock down
>> your network pretty effectively. Any comments?
>Using TACACS+ with some sort of one-time-passwording works very well.
TACACS encryption won't help if you follow the Cisco Essential IOS Features
(v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing
aaa accounting command 15 start-stop tacacs+
Unfortunately, this will log in your syslog the password commands in
cleartext. You would have to be sure that the Unix/NT system you are
logging all Cisco commands to is as secure as your router. How many of you
run ISS/Cybercop/Netrecon scans every week on your logging servers to be
sure they are secure?
"aaa accounting command 15 start-stop tacacs+" can be considered an
unintentional backdoor for many.
I informed the Cisco authors when it was published to issue a document patch.
>Alec H. Peterson - firstname.lastname@example.org
>CenterGate Research Group - http://www.centergate.com
>"Technology so advanced, even _we_ don't understand it!"