From: Chris Larson (clarson52@xxxxxxxxxxx)
Date: Thu Aug 29 2002 - 18:38:19 GMT-3
With Cisco's ACS (TACACS+) the only information that is encrypted is between
the router and the ACS server. a Telnet session to the router is still
unencrypted unless you implement ssh or a vpn, and the username and password
can be sniffed. Your session to the router is clear text, the routers
session with ACS is encrypted.
----- Original Message -----
From: "Chris Butler" <butlerc@thielenlaw.com>
To: <JA_WRIGHT@admworld.com>
Cc: <security@groupstudy.com>; <ccielab@groupstudy.com>
Sent: Thursday, August 29, 2002 2:01 AM
Subject: Re: Read Only Access For Telnet
> The enable secret is not crackable to my knowledge.
>
> You could set up a captured shell use the menu commands. You can allow
> them to display the configuration, but they can't do much else, other than
> what you specifically allow. "NOTE: Don't forget your exit menu option,
> or you will be trapped in Menu land."
> We have a similar issue with security wanting to see our configs. They
> can crack the first level password xxxxx 7, but they cannot crack the
> enable secret password.
> You could implement TACACS+ AAA with a shell access list to provide more
> granular control. It is a much cleaner, and safer solution. Plus your
> session is encrypted. Telnet is a clear text protocol, and passwords can
> be sniffed.
> .02.
>
> CHris
> > I have a remote location that is needing read only access to my router.
> > I know you can decrypt the encrypted password in the show run and I
> > want to eliminate the possibility of them doing that. What is the best
> > way to accomplish this?
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ************************
> > Jeremy Wright
> > Network Analyst
> > Archer Daniels Midland
> > ja_wright@admworld.com
> > (217)451-4063
> >
> > ************************
This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:42 GMT-3