[28445] in North American Network Operators' Group
Re: ABOVE.NET SECURITY TRUTHS?
daemon@ATHENA.MIT.EDU (Alec H. Peterson)
Sun Apr 30 10:38:38 2000
Message-ID: <390C44E4.1A25533@hilander.com>
Date: Sun, 30 Apr 2000 08:36:20 -0600
From: "Alec H. Peterson" <ahp@hilander.com>
MIME-Version: 1.0
To: Hank Nussbacher <hank@att.net.il>
Cc: Paul Froutan <pfroutan@rackspace.com>, rmeyer@mhsc.com,
nanog@merit.edu
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
Hank Nussbacher wrote:
>
> TACACS encryption won't help if you follow the Cisco Essential IOS Features
> (v 2.82 - Feb 18, 2000). On page 45 they discuss router command auditing
> and recommend:
>
> aaa accounting command 15 start-stop tacacs+
>
> Unfortunately, this will log in your syslog the password commands in
> cleartext. You would have to be sure that the Unix/NT system you are
> logging all Cisco commands to is as secure as your router. How many of you
> run ISS/Cybercop/Netrecon scans every week on your logging servers to be
> sure they are secure?
Hrm, that's odd, since I was using TACACS+ accounting a while ago (that
exact command actually) and it never logged any passwords that I entered...
Alec
--
Alec H. Peterson - ahp@hilander.com
Staff Scientist
CenterGate Research Group - http://www.centergate.com
"Technology so advanced, even _we_ don't understand it!"
