Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
566
Views
10
Helpful
6
Replies

Internet Router

Go to solution
eandrcisco007
Level 1
Level 1

‎10-01-2015 01:42 PM - edited ‎03-05-2019 02:26 AM

Hi Techs, 

I have a general security question about Internet Router that is located outside firewall/DMZ (perimeter Network) connected to MPLS and I was wondering if it is secure to configure TACACS on it to have a centralized validation of users to log in through VRF management interface. ( I have told this is not a good practice and it could impose risk ).

 

Any feedback or suggestion would be highly appreciated.

 

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-01-2015 06:53 PM

This is an interesting question and I do not believe that there is a clear and convincing "right" answer to it. If you get answers from several people there are likely to be several different answers proposed.

 

On the one hand if the router is on the perimeter and is outside of the DMZ and firewall then any device that you permit to initiate traffic through the firewall to the inside is somewhat of a threat. So from that perspective do local authentication, make the password difficult, and change it frequently.

 

On the other hand if the firewall only permits the Tacacs protocol traffic and only permits it to the Tacacs server then you have reduced the risk and having better control over who can login to the perimeter router.

 

If you are concerned about potential risk to the router that is in the perimeter then you might consider disabling access via VTY, no telnet, no SSH, no HTTP, no HTTPS, no SNMP, and only allow access via the console port.

 

HTH

 

Rick

HTH

Rick

View solution in original post

6 Replies 6

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎10-01-2015 06:53 PM

This is an interesting question and I do not believe that there is a clear and convincing "right" answer to it. If you get answers from several people there are likely to be several different answers proposed.

 

On the one hand if the router is on the perimeter and is outside of the DMZ and firewall then any device that you permit to initiate traffic through the firewall to the inside is somewhat of a threat. So from that perspective do local authentication, make the password difficult, and change it frequently.

 

On the other hand if the firewall only permits the Tacacs protocol traffic and only permits it to the Tacacs server then you have reduced the risk and having better control over who can login to the perimeter router.

 

If you are concerned about potential risk to the router that is in the perimeter then you might consider disabling access via VTY, no telnet, no SSH, no HTTP, no HTTPS, no SNMP, and only allow access via the console port.

 

HTH

 

Rick

HTH

Rick

Go to solution
trfinkenstadt
Level 1
Level 1

‎10-02-2015 08:28 AM

Hello,

 

How we have chosen to do it:

 

ip access-list extended 123

 permit ip internal.mgmt.sub.net 0.0.0.255 any

 deny ip any any log   !just to see who/what's banging on us

!

line vty 0 15

 ip access-group 123 in

 

we use our intranet tacacs servers protected by firewalls. 

 

We do *not* allow our internet exposed devices to be in any way connected to the intranet.  if they are compromised then there are further steps that an attacker would need to do to compromise our internal servers and systems.

 

0 Helpful

Go to solution
jatinder sharma
Level 1
Level 1

‎10-02-2015 08:48 AM

Hello,

 

I do fully agree with as suggested by Richard ,its better use difficult password and change it frequently and avoid to threat disable telnet,SSH,HTTP and HTTPS access to router and use console access.

 

Regards

Jatinder Sharma

0 Helpful

Go to solution
trfinkenstadt
Level 1
Level 1
In response to jatinder sharma

‎10-02-2015 09:48 AM

By template, we disable telnet, http and https on all of our routers.  As for a local account, how do you determine who is doing what to your devices?  What if you need granular permits within who is touching a device?  For example, I might allow my LAN team to do just about anything short of "config t" on a router whereas my WAN team are allowed full exec 15 access.

 

--tim

0 Helpful

Go to solution
eandrcisco007
Level 1
Level 1
In response to trfinkenstadt

‎10-05-2015 10:02 AM

Hi Gentlemen,

Thank you all for your valuable inputs and great feedbacks.

I got what I need to know and appreciate all :)

 

Thank you.

 

0 Helpful

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to eandrcisco007

‎10-05-2015 03:34 PM

I am glad that our answers were helpful to you. These forums are excellent for learning about network and to share what we have learned with each other. Thank you for using the rating system to mark this question as answered. This will help other readers of the forum to identify threads with helpful information.

 

HTH

 

Rick 

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card