Re: ABOVE.NET SECURITY TRUTHS?

[Danny McPherson <danny () tcb net>]

> As you pointed out to Barry Greene and myself previously, the "aaa 
> accounting" command as below will log commands typed in at "enable" level. 
> So, if you are changing the onboard router password, yes, you will see the 
> new password in your accounting logs, in clear text.
>
> However, I don't consider it good practice to keep any critical passwords 
> on a router when an authentication mechanism such as TACACS+ is in place.

Unfornately, auth servers fail and you have to keep VTY and fallback 
passwords locally configured on the router.

> Also, if I was modifying the onboard enable secret (last resort password 
> when TACACS+ or Radius is configured) at any stage, I'd tftp-load the 
> configuration from a remote server, not ever type it in live.

I don't see how this actually changes anything though, aren't tftp'd files
authorized (and therefore, logged) in a similar manner?

And as wonderful as it sounds, it's not always possible in real networks.

However, entering the encrypted *enable* password (w/level) would accommodate
this.  Though, of course, the BGP TCP MD5 stuff and the VTY passwords (and
most other passwords) still don't support the ~non-reversible encryption 
algorithm.

As for this entire thread, it's seems now to be more appropriate for cisco-nsp
or the like.

-danny