[28385] in North American Network Operators' Group
Re: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (John Kristoff)
Fri Apr 28 17:17:52 2000
Message-ID: <3909FE09.16ADC719@depaul.edu>
Date: Fri, 28 Apr 2000 16:09:29 -0500
From: John Kristoff <jtk@depaul.edu>
Reply-To: jtk@aharp.is-net.depaul.edu
MIME-Version: 1.0
To: nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Paul Froutan wrote:
> I don't think you can. However, I use TACACS on all my switches and
SSH is becoming available on the IOS and I believe it is available in
the very latest of 'T' train IOS releases. I don't think the same is
true for the CatIOS side of the house. Hopefully soon if not already.
> routers. From what I know, TACACS passwords are encrypted using the key on
> your network devices and the TACACS server. So, that, in combination with
> a private management LAN not accessible by your customers should lock down
> your network pretty effectively. Any comments?
Yes, assuming that LAN is indeed private. The initial connection
between the client and switch will still be unencrypted. The right ACLs
for the VTY's also help.
John
