I may not completely understand the last part of your message. You say: > The Network > Services Group is adamant that neither SSH or CISCO TACACS+ will work on a > router to correct the security issue.
If they mean ssh is not available on Cisco routers, this is incorrect. http://www.cisco.com/en/US/tech/tk583/tk209/technologies_tech_note09186a00800949e2.shtml Please note that SSH is deprecated by Cisco. The above paper states that Cisco's strategy for secure communication between clients and router devices is IPSEC. If they mean that implementing SSH won't mollify the auditors, I can't say. Assuming your routers are configured to log unsuccessful attempts to login, that the router's ssh daemon is configured to only accept logins based on key pairs (no passphrases), you have a good key management policy in place, and you have filters configured on the router to only accept connections from a short list of authorized addresses, that should keep the auditors happy. I am not familiar enough with TACACS+ to give any comment on it. I always thought TACACS was an authentication protocol, not a communications protocol. As such, it would only solve your problem in the narrowest sense (i.e. no unencrypted username/password pairs going over the wire when logging in). Information about your router's internal configuration would still be unencrypted, as would your enable password if one of the techs put the router into enable mode. As such, based on what I know, it wouldn't be suitable. j. On Wed, 11 Dec 2002, Tony Toni wrote: > > We were currently wrote up by our external auditors because we use telnet to > access all of our routers. In some cases we use a filtered Telnet > service...but that is not the normal practice. We are a fairly good size > company with about 1000+ routers. [snip...]