TACACS Plus installation

To describe how to install TACACS application on step by step. Specifically we are install tac-plus in this article. 1. 2. 3. 4. Download TACACS+ Install Tac-plus application Configure TACACS.conf configure Network device(Cisco router)

1. Download TACACS+
Get lastest tacacs+ binary rpm file from http://www.gazi.edu.tr/tacacs.

2. Install Tac-plus application

Login your machine with root account to avoid any interruption while installing TACACS+ and type rpm -ivh tac_plus.xxx.i386.rpm

By this command tacacs+ must install your system and to verify your installation type below rpm -q tac_plus

If you see below output, you are good to go. tac_plus-F4.0.3.alpha-7

3. Configure TACACS.conf
# # # # Created by Devrim SERAL( devrim@gazi.edu.tr) It's very simple configuration file Please read user_guide and tacacs+ FAQ to more information to do more complex tacacs+ configuration files.

key = CISCONET

# Use /etc/passwd file to do authentication default authentication = file /etc/passwd.log # Now tacacs+ also use default PAM authentication #default authentication = pam pap #If you like to use DB authentication #default authentication = db "db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field # db_type: mysql or null # db_user: Database connect username # db_pass: Database connection password # db_hostname : Database hostname # db_name : Database name # db_table : authentication table name # name_field and pass_field: Username and password field name at the db_table # Accounting records log file accounting file = /var/log/tacacs/tacacs.log # Would you like to store accounting records in database.. # db_accounting = "db_type://db_user:db_pass@db_hostname/db_name/db_table" # Same as above.. # Permit all authorization request default authorization = permit # Profile for enable access, username is $enab15$. Used to be $enable$ user = $enab15$ { login = cleartext Pr1celess } # Profiles for user accounts user = Superman { login = cleartext SuperPOP40 } In this case, username; Superman and password; SuperPOP40 4. configure Network device(Cisco router) aaa new-model aaa authentication login default tacacs+ line enable none aaa authentication login defaut tacacs+ line enable none

tacacs-server host 65.222.247.53 tacacs-server host 65.222.247.37 tacacs-server key CISCONET

Or another sample (if tacacs login is failed, local database will be used)
aaa new-model username CiscoNET password xxx-CiscoNet aaa authentication login default enable aaa authentication login access1 local aaa authentication login access2 tacacs+ local tacacs-server host 65.222.247.53 tacacs-server host 65.222.247.37 tacacs-server key CISCONET ! ! Line console 0 login authentication access 2 ! ! Line vty 0 4 password yyy-CiscoNET login

Preventing Security Attacks from all OSI 7 Layer

Let's quickly look what kinds of Security Attacks on OSI 7 Layer. Layer 7. Application /6. Presentation/5. Session Layer - Virus, Warms, Trohourse, Buffer overfolw, APP/OS weakness. Layer 4. Transport Layer - TCP sync flooding, UDP flooding, Scanning and so on. Layer 3. Network Layer - IP modification, DHCP attack, ICMP attack and so on. Layer 2. Data Link Layer - MAC modification, MAC attack, MAC flooding and so on. Layer 1. Physical Layer - Cable disconnected How to prevent above threats? see below helps

Prevent Physical Layer's threats

- Someone pulled or cut physical cable on purpose in any reasons. Better to have a quick recovery plan and procedure to complete restoration. Also, well treat and take care of employee ^.^. Actually, if phsical link is cut, it is serious situation especially cable was installed in deep or without blueprint. These days, high graded switches provide OTDR function built-in. By sending pulse signal on the link, cutting location or suspicious location can be found easily. It will compare timing slot when a singal was sent and returned. [NVP(Nominal Velocity of Propagation) - Cable Propagation delay] ex) sample TDR testing from Catalyst 6500 Console>(enable) test cable-diagnostics tdr 1/1 (generate pulse singal) ; TDR test started on port 1/1. Use show port TDR to see the result Console>(enable) show port TDR 1/1 (Output of TDR result) ; TDR test last run on Tue, Feb x.x at x.x.x.x Port Speed Local Pair Pairlength Remote Pair Pair status -----------------------------------------------------------------

1/1 1000 Pair A 12+/-3 meters Pair A Terminated Pair B 12+/-3 meters Pair B Terminated Pair C 12+/-3 meters Pair C Terminiated Pair D 12+/-3 meters pair D Terminated

Data Link Layer's threats

Most common threats on Data link layer would be MAC address alteration and MAC Flooding attacks. Network device or host under MAC Flooring attack will be taken all the CPU resource. By MAC address alteration, traffic flow can be changed easily, once attacker find a security hole on the switch. To prevent this, you can mapped host MAC address on each physical switch port. MAC Floording attacks are dumping massive MAC addresses were created by auto tool. It makes overflow of MAC table(CAM table) on the switch. The swich is running in malfuction or getting slow(crashing). To prevent this threat, you can use port-security function that is provided by Cisco ISO. ex) Utilize Cisco Port-Security on Catalyst 2950 Switch(config)#interface fastethernet 1 Switch(config-if)#switchport port-security maximum 7 ; Limit max MAC addresses as 7 on the port Switch(config-if)#switchport port-security mac-address xx:xx:xx:xx ; Pre-configure MAC address that is connected to the port1 Switch(config-if)#switchport port-security violation[protect/restrict/shutdown] ;If suspicious activity is detected, restrict policy can be applied Switch(config-if)#mac-address-table static yy:yy:yy:yy vlan drop ; Filtering MAC address cuased an issue.

ARP attack is another pattern of data link layer threat. Frist, attacker find a LAN port and sniffing alive traffic to choose victim. Pick an active MAC address which is actively communicating to server or other host. Using MAC duplicator/Hacker's tool, intercept communication and collect important information such as login/pwd and so on. Actually, it can be done easily with well-known sniffing sw and hacker's tool. Some tools has built-in password dictionary to crack logins. ** Hey, this is only for education purpose. Do not try it! Common way to prevent this threat would be ARP Inspection.

ex) Apply ARP Inspection on Catalyst 4000 Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.1 xx:xx:xx:xx Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.2 yy:yy:yy:yy ; Pre-define MAC address on ARP table Switch>(enable) set security acl ip ARP permit arp-inspection any any Switch>(enable) set security acl ip ARP permit ip any any Switch>(enable) commit security acl ARP

Another way to prevent data link threat would be using private VLAN. We see often security hole at networks devices configuration.

1. STP(Spanning Tree Protocol) Attack

; Simply, attacker intercept BPDU(Bridge Port Data Unit) frame and send bad BPDU to root switch to make change traffic flow. To prevent this, prohibit sending and receiving BPDU unless it is uplink. Switch(config)#spanning-tree portfast bpduguard ; Prevent STP attack by BPDU Guard setup. Switch(config)#spanning-tree guard root(or rootguard) ; Prevent STP attack by Root Guard setup on root switch

2. VLAN Hopping attack

This threat is using weakness of switch confiruation with default value. Switch port mode is auto as default. Attacker hook his devcie to a port on switch and make link as trunk and then send an alteration frame which has duplicate VLAN headers. It will cross the network trunk and attack nodes. To prevent this, change to access mode or shutdown a port that is not being used. Switch(config)#interface fastethernet 1 Switch(config-if)#switchport mode access ;Trunk mode is off List of action Items to prevent Layer 2 threats 1. Do not using VLAN 1 2. Do not use VLAN for unused ports 3. Use SSH instead Telnet

4. Use SNMP verizon 3 5. Use enhanced Traceroute

Network Layer's threats

IP alteration and DHCP attak are famous on Network layer. If MAC address alteration is Social Security Identifier alteration, IP alteration would be an address alteration. To prevent the threat, use below (make sure IP cef is enabled) Router(config)#interface Fastethernet Router(config-if)#ip verify unicast reverse-path To verify, use "show IP traffic"

Transport Layer's threats

Well-known attacks on Transport layer are TCP, UDP Flooding attacks. These threats performs sending massive UDP traffic to a certain target, or reqeusting TCP 3 handshaking after alternated source IP address. Especially, it affects serious demage on network devices and servers on overwhelming loads.

Application Layer's threats

It can be warms and virus, and also some threats attack into weakness of OS and application.