|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-Id: <3.0.5.32.20000430092717.007f54c0@max.ibm.net.il> Date: Sun, 30 Apr 2000 09:27:17 +0200 To: "Alec H. Peterson" <ahp@hilander.com>, Paul Froutan <pfroutan@rackspace.com> From: Hank Nussbacher <hank@att.net.il> Cc: rmeyer@mhsc.com, nanog@merit.edu In-Reply-To: <3909FD5E.48EDEAF5@hilander.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Errors-To: owner-nanog-outgoing@merit.edu At 15:06 28/04/00 -0600, Alec H. Peterson wrote: > >Paul Froutan wrote: >> >> I don't think you can. However, I use TACACS on all my switches and >> routers. From what I know, TACACS passwords are encrypted using the key on >> your network devices and the TACACS server. So, that, in combination with >> a private management LAN not accessible by your customers should lock down >> your network pretty effectively. Any comments? > >Using TACACS+ with some sort of one-time-passwording works very well. TACACS encryption won't help if you follow the Cisco Essential IOS Features (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing and recommend: aaa accounting command 15 start-stop tacacs+ Unfortunately, this will log in your syslog the password commands in cleartext. You would have to be sure that the Unix/NT system you are logging all Cisco commands to is as secure as your router. How many of you run ISS/Cybercop/Netrecon scans every week on your logging servers to be sure they are secure? "aaa accounting command 15 start-stop tacacs+" can be considered an unintentional backdoor for many. I informed the Cisco authors when it was published to issue a document patch. -Hank > >Alec > >-- >Alec H. Peterson - ahp@hilander.com >Staff Scientist >CenterGate Research Group - http://www.centergate.com >"Technology so advanced, even _we_ don't understand it!" > >
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |