10-01-2015 01:42 PM - edited 03-05-2019 02:26 AM
Hi Techs,
I have a general security question about Internet Router that is located outside firewall/DMZ (perimeter Network) connected to MPLS and I was wondering if it is secure to configure TACACS on it to have a centralized validation of users to log in through VRF management interface. ( I have told this is not a good practice and it could impose risk ).
Any feedback or suggestion would be highly appreciated.
Thank you.
Solved! Go to Solution.
10-01-2015 06:53 PM
This is an interesting question and I do not believe that there is a clear and convincing "right" answer to it. If you get answers from several people there are likely to be several different answers proposed.
On the one hand if the router is on the perimeter and is outside of the DMZ and firewall then any device that you permit to initiate traffic through the firewall to the inside is somewhat of a threat. So from that perspective do local authentication, make the password difficult, and change it frequently.
On the other hand if the firewall only permits the Tacacs protocol traffic and only permits it to the Tacacs server then you have reduced the risk and having better control over who can login to the perimeter router.
If you are concerned about potential risk to the router that is in the perimeter then you might consider disabling access via VTY, no telnet, no SSH, no HTTP, no HTTPS, no SNMP, and only allow access via the console port.
HTH
Rick
10-01-2015 06:53 PM
This is an interesting question and I do not believe that there is a clear and convincing "right" answer to it. If you get answers from several people there are likely to be several different answers proposed.
On the one hand if the router is on the perimeter and is outside of the DMZ and firewall then any device that you permit to initiate traffic through the firewall to the inside is somewhat of a threat. So from that perspective do local authentication, make the password difficult, and change it frequently.
On the other hand if the firewall only permits the Tacacs protocol traffic and only permits it to the Tacacs server then you have reduced the risk and having better control over who can login to the perimeter router.
If you are concerned about potential risk to the router that is in the perimeter then you might consider disabling access via VTY, no telnet, no SSH, no HTTP, no HTTPS, no SNMP, and only allow access via the console port.
HTH
Rick
10-02-2015 08:28 AM
Hello,
How we have chosen to do it:
ip access-list extended 123
permit ip internal.mgmt.sub.net 0.0.0.255 any
deny ip any any log !just to see who/what's banging on us
!
line vty 0 15
ip access-group 123 in
we use our intranet tacacs servers protected by firewalls.
We do *not* allow our internet exposed devices to be in any way connected to the intranet. if they are compromised then there are further steps that an attacker would need to do to compromise our internal servers and systems.
10-02-2015 08:48 AM
Hello,
I do fully agree with as suggested by Richard ,its better use difficult password and change it frequently and avoid to threat disable telnet,SSH,HTTP and HTTPS access to router and use console access.
Regards
Jatinder Sharma
10-02-2015 09:48 AM
By template, we disable telnet, http and https on all of our routers. As for a local account, how do you determine who is doing what to your devices? What if you need granular permits within who is touching a device? For example, I might allow my LAN team to do just about anything short of "config t" on a router whereas my WAN team are allowed full exec 15 access.
--tim
10-05-2015 10:02 AM
Hi Gentlemen,
Thank you all for your valuable inputs and great feedbacks.
I got what I need to know and appreciate all :)
Thank you.
10-05-2015 03:34 PM
I am glad that our answers were helpful to you. These forums are excellent for learning about network and to share what we have learned with each other. Thank you for using the rating system to mark this question as answered. This will help other readers of the forum to identify threads with helpful information.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide