Kenneth,
> I've been asked my opinions on implementing TACACS+ vs ssh to control
access
> to Cisco routers. I'm wondering if anyone has a comparision paper. Off
Comparing TACACS+ and ssh here is like comparing apples to pears (as we say
in german...)
You can/should use them both.
If you use TACACS+, telnetting to the router is _not_ secured in any way.
It's just good ole plaintext telnet.
So you don't gain anything in here. The only thing done by TACACS+ is to
authenticate the access against some kind of database (server). Talking
about secure access to the devices, you don't really have a choice. This has
to be done via ssh [or kerberized telnet].
> - Do not need to purchase or get ssh clients.
This should not be too difficult or expensive...
[e.g. www.chiark.greenend.org.uk/~sgtatham/putty/]
> Also, in light of the recent increased vulnerabilities found in ssh, like
> being able to get the length of the password, has Cisco improved their ssh
> package?
Cisco ssh was _not_ vulnerable.
But beware: to implement ssh on cisco routers, you have to use T-images
('early deployment').
On production machines this should be considered twice (though I've not
experienced problems so far).
BTW: before implementing TACACS+ in large environments, read Solar
Designer's 'Analysis of TACACS+' (~ may 2000, to be found in bugtraq
archives) first.
In general support for RADIUS is much better in most environments.
Regards,
Enno Rey
PGP 74C0 C7E1 3875 E4EB 9B75 8B9D 5E2D 3178 685B F222
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
