Re: ABOVE.NET SECURITY TRUTHS?

[Hank Nussbacher <hank () att net il>]

At 15:06 28/04/00 -0600, Alec H. Peterson wrote:
> Paul Froutan wrote:
> > I don't think you can.  However, I use TACACS on all my switches and
> > routers.  From what I know, TACACS passwords are encrypted using the key on
> > your network devices and the TACACS server.  So, that, in combination with
> > a private management LAN not accessible by your customers should lock down
> > your network pretty effectively.  Any comments?
>
> Using TACACS+ with some sort of one-time-passwording works very well.

TACACS encryption won't help if you follow the Cisco Essential IOS Features
(v 2.82 - Feb 18, 2000).  On page 45 they discuss router command auditing
and recommend:

aaa accounting command 15 start-stop tacacs+

Unfortunately, this will log in your syslog the password commands in
cleartext.  You would have to be sure that the Unix/NT system you are
logging all Cisco commands to is as secure as your router.  How many of you
run ISS/Cybercop/Netrecon scans every week on your logging servers to be
sure they are secure?

"aaa accounting command 15 start-stop tacacs+" can be considered an
unintentional backdoor for many.

I informed the Cisco authors when it was published to issue a document patch.

-Hank

> Alec
>
> -- 
> Alec H. Peterson - ahp () hilander com
> Staff Scientist
> CenterGate Research Group - http://www.centergate.com
> "Technology so advanced, even _we_ don't understand it!"