Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
To describe how to install TACACS application on step by step. Specifically we are install tac-plus in this article. 1. 2. 3. 4. Download TACACS+ Install Tac-plus application Configure TACACS.conf configure Network device(Cisco router)
1. Download TACACS+
Get lastest tacacs+ binary rpm file from http://www.gazi.edu.tr/tacacs.
By this command tacacs+ must install your system and to verify your installation type below rpm -q tac_plus
3. Configure TACACS.conf
# # # # Created by Devrim SERAL( devrim@gazi.edu.tr) It's very simple configuration file Please read user_guide and tacacs+ FAQ to more information to do more complex tacacs+ configuration files.
key = CISCONET
# Use /etc/passwd file to do authentication default authentication = file /etc/passwd.log # Now tacacs+ also use default PAM authentication #default authentication = pam pap #If you like to use DB authentication #default authentication = db "db_type://db_user:db_pass@db_hostname/db_name/db_table?name_field&pass_field # db_type: mysql or null # db_user: Database connect username # db_pass: Database connection password # db_hostname : Database hostname # db_name : Database name # db_table : authentication table name # name_field and pass_field: Username and password field name at the db_table # Accounting records log file accounting file = /var/log/tacacs/tacacs.log # Would you like to store accounting records in database.. # db_accounting = "db_type://db_user:db_pass@db_hostname/db_name/db_table" # Same as above.. # Permit all authorization request default authorization = permit # Profile for enable access, username is $enab15$. Used to be $enable$ user = $enab15$ { login = cleartext Pr1celess } # Profiles for user accounts user = Superman { login = cleartext SuperPOP40 } In this case, username; Superman and password; SuperPOP40 4. configure Network device(Cisco router) aaa new-model aaa authentication login default tacacs+ line enable none aaa authentication login defaut tacacs+ line enable none
Or another sample (if tacacs login is failed, local database will be used)
aaa new-model username CiscoNET password xxx-CiscoNet aaa authentication login default enable aaa authentication login access1 local aaa authentication login access2 tacacs+ local tacacs-server host 65.222.247.53 tacacs-server host 65.222.247.37 tacacs-server key CISCONET ! ! Line console 0 login authentication access 2 ! ! Line vty 0 4 password yyy-CiscoNET login
Let's quickly look what kinds of Security Attacks on OSI 7 Layer. Layer 7. Application /6. Presentation/5. Session Layer - Virus, Warms, Trohourse, Buffer overfolw, APP/OS weakness. Layer 4. Transport Layer - TCP sync flooding, UDP flooding, Scanning and so on. Layer 3. Network Layer - IP modification, DHCP attack, ICMP attack and so on. Layer 2. Data Link Layer - MAC modification, MAC attack, MAC flooding and so on. Layer 1. Physical Layer - Cable disconnected How to prevent above threats? see below helps
1/1 1000 Pair A 12+/-3 meters Pair A Terminated Pair B 12+/-3 meters Pair B Terminated Pair C 12+/-3 meters Pair C Terminiated Pair D 12+/-3 meters pair D Terminated
ARP attack is another pattern of data link layer threat. Frist, attacker find a LAN port and sniffing alive traffic to choose victim. Pick an active MAC address which is actively communicating to server or other host. Using MAC duplicator/Hacker's tool, intercept communication and collect important information such as login/pwd and so on. Actually, it can be done easily with well-known sniffing sw and hacker's tool. Some tools has built-in password dictionary to crack logins. ** Hey, this is only for education purpose. Do not try it! Common way to prevent this threat would be ARP Inspection.
ex) Apply ARP Inspection on Catalyst 4000 Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.1 xx:xx:xx:xx Switch>(enable) set security acl ip ARP permit arp-inspection host 10.0.0.2 yy:yy:yy:yy ; Pre-define MAC address on ARP table Switch>(enable) set security acl ip ARP permit arp-inspection any any Switch>(enable) set security acl ip ARP permit ip any any Switch>(enable) commit security acl ARP
Another way to prevent data link threat would be using private VLAN. We see often security hole at networks devices configuration.