cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1187
Views
0
Helpful
3
Replies

TACACS+ traffic over public Internet

oldcreek12
Beginner
Beginner

Hi, all,

We have network devices that do not have intranet/VPN connections to internal  central TACACS+ servers that are behind corp firewall, I am wondering is it an acceptable practice to send TACACS+ traffic over public Internet? TACACS+ payload is encrypted, but attacker can still tell a packet is TACACS+ packet with a sniffer.

Thanks,

 

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Are the TACACS+ servers accessible from Internet sources? (basically that is a combination of whether there is a static address translation for the TACACS+ servers to some public address, and whether there are access policies on the firewall to permit Internet devices to initiate traffic to the TACACS+ servers). If the answer to either of those conditions is no then there is no point in considering the possibility of sending TACACS+ traffic over the Internet since it would not succeed. If those conditions are satisfied then the TACACS+ traffic could be passed.

 

And if the traffic could be passed then it becomes a question of what is the corporate attitude toward risk in Internet access. The good news is that the TACACS+ data is encrypted so an attacker will not observe user ID or password data. But the bad news is that you have now opened an attack vector to critical network devices. Only someone who knows the corporate position about risk can determine whether the benefit of TACACS+ for remote sites is worth the risk.

 

HTH

 

Rick

HTH

Rick

View solution in original post

If someone knows the TACACS+ key, they can capture traffics and decode your traffics with wireshark.

TACACS+ payload is "encrypted" is very misleading because my understanding is that yes the traffics is encrypted with DES (this is based on my understanding of looking at the tacacs+ open source code).  Ask yourself this, do you want important data to traverse the Internet via DES?

These days, I don't trust important data traversing the Internet without at least AES-256

 

View solution in original post

3 Replies 3

Richard Burts
Hall of Fame Guru Hall of Fame Guru
Hall of Fame Guru

Are the TACACS+ servers accessible from Internet sources? (basically that is a combination of whether there is a static address translation for the TACACS+ servers to some public address, and whether there are access policies on the firewall to permit Internet devices to initiate traffic to the TACACS+ servers). If the answer to either of those conditions is no then there is no point in considering the possibility of sending TACACS+ traffic over the Internet since it would not succeed. If those conditions are satisfied then the TACACS+ traffic could be passed.

 

And if the traffic could be passed then it becomes a question of what is the corporate attitude toward risk in Internet access. The good news is that the TACACS+ data is encrypted so an attacker will not observe user ID or password data. But the bad news is that you have now opened an attack vector to critical network devices. Only someone who knows the corporate position about risk can determine whether the benefit of TACACS+ for remote sites is worth the risk.

 

HTH

 

Rick

HTH

Rick

If someone knows the TACACS+ key, they can capture traffics and decode your traffics with wireshark.

TACACS+ payload is "encrypted" is very misleading because my understanding is that yes the traffics is encrypted with DES (this is based on my understanding of looking at the tacacs+ open source code).  Ask yourself this, do you want important data to traverse the Internet via DES?

These days, I don't trust important data traversing the Internet without at least AES-256

 

Thanks guys, so the answer to my question would be "NO", I will get a separate VPN path up.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers