[c-nsp] TACACS+ best practices
Ed Ravin
eravin at panix.com
Mon Apr 24 13:27:06 EDT 2006
On Tue, Apr 25, 2006 at 12:06:16AM +0700, Affan Basalamah wrote:
> 1. I used free tacplus version from cisco, installed by freebsd ports.
There's another version, which has a few extra features and is probably
recent recent (and more supported than the Cisco version),
at http://shrubbery.net/tac_plus/ .
> 2. I configured user properties on tacplus.conf, and use des
> encryption for user password. Do I have better alternatives with
> passwd encryption, say MD5 hash ?
You can use a one-time password scheme, like S/Key (OPIE).
> By that configuration, do our configuration still vulnerable for
> hacker/kiddies that want to get access to my router ? FYI I have
> configure the router with ACL for snmp and telnet/ssh, and follow
> cisco security recommendation (cymru and ciscopress books).
Sounds like you're way ahead of most shops, and shouldn't have much
to worry about as long as you regularly scan your network and routers
to confirm that they're behaving the way you want them to.
More information about the cisco-nsp
mailing list