Solved: TACACS+ traffic over public Internet

oldcreek12 · ‎01-04-2015

Hi, all,

We have network devices that do not have intranet/VPN connections to internal central TACACS+ servers that are behind corp firewall, I am wondering is it an acceptable practice to send TACACS+ traffic over public Internet? TACACS+ payload is encrypted, but attacker can still tell a packet is TACACS+ packet with a sniffer.

Thanks,

Richard Burts · ‎01-04-2015

Are the TACACS+ servers accessible from Internet sources? (basically that is a combination of whether there is a static address translation for the TACACS+ servers to some public address, and whether there are access policies on the firewall to permit Internet devices to initiate traffic to the TACACS+ servers). If the answer to either of those conditions is no then there is no point in considering the possibility of sending TACACS+ traffic over the Internet since it would not succeed. If those conditions are satisfied then the TACACS+ traffic could be passed.

And if the traffic could be passed then it becomes a question of what is the corporate attitude toward risk in Internet access. The good news is that the TACACS+ data is encrypted so an attacker will not observe user ID or password data. But the bad news is that you have now opened an attack vector to critical network devices. Only someone who knows the corporate position about risk can determine whether the benefit of TACACS+ for remote sites is worth the risk.

HTH

Rick

HTH

Rick

View solution in original post

cciesec2011 · ‎01-04-2015

If someone knows the TACACS+ key, they can capture traffics and decode your traffics with wireshark.

TACACS+ payload is "encrypted" is very misleading because my understanding is that yes the traffics is encrypted with DES (this is based on my understanding of looking at the tacacs+ open source code). Ask yourself this, do you want important data to traverse the Internet via DES?

These days, I don't trust important data traversing the Internet without at least AES-256

View solution in original post

Richard Burts · ‎01-04-2015

Are the TACACS+ servers accessible from Internet sources? (basically that is a combination of whether there is a static address translation for the TACACS+ servers to some public address, and whether there are access policies on the firewall to permit Internet devices to initiate traffic to the TACACS+ servers). If the answer to either of those conditions is no then there is no point in considering the possibility of sending TACACS+ traffic over the Internet since it would not succeed. If those conditions are satisfied then the TACACS+ traffic could be passed.

And if the traffic could be passed then it becomes a question of what is the corporate attitude toward risk in Internet access. The good news is that the TACACS+ data is encrypted so an attacker will not observe user ID or password data. But the bad news is that you have now opened an attack vector to critical network devices. Only someone who knows the corporate position about risk can determine whether the benefit of TACACS+ for remote sites is worth the risk.

HTH

Rick

HTH

Rick

cciesec2011 · ‎01-04-2015

If someone knows the TACACS+ key, they can capture traffics and decode your traffics with wireshark.

TACACS+ payload is "encrypted" is very misleading because my understanding is that yes the traffics is encrypted with DES (this is based on my understanding of looking at the tacacs+ open source code). Ask yourself this, do you want important data to traverse the Internet via DES?

These days, I don't trust important data traversing the Internet without at least AES-256

oldcreek12 · ‎01-04-2015

Thanks guys, so the answer to my question would be "NO", I will get a separate VPN path up.