Secure TACACS+ / RADIUS Proxy

Centralized access control using the TACACS+ and/or RADIUS protocols has become a popular and effective approach for managing secure access to network devices and servers. The ability to manage user authentication, authorization, and accounting in a single server, or a small number of servers, provides a significant advantage both in terms of reduced administrative effort, reduced server count, and improved security, because changes can be made in a more timely and less error-prone manner.

Access Problem for TACACS+ and RADIUS Traffic

The common industry practice where networks are partitioned into security zones using conventional firewalls creates a problem for centralized access control, requiring network administrators to choose between two equally unacceptable alternatives: prevent TACACS+ and RADIUS traffic from passing through the firewall, effectively isolating the devices beyond from the primary centralized access control servers, or allow TACACS+ and/or RADIUS to pass through the firewall, accepting the associated security risks.

The ZoneRanger offers a much simpler, more cost effective, and more secure solution for managing access control in your corporation’s DMZs.

ZoneRanger will save money, time, increase security and decrease configuration errors

1) Only one ACS is needed for multiple security zones. Each security zone will contain a ZoneRanger that will proxy the requests to the ACS server on the clean side of the firewall. The ZoneRanger can proxy requests to multiple servers, if desired, for reliability.
2) The firewall rules do not need to open additional ports for this traffic and your ACS server is isolated from the high risk security zones.
3) The TACACS+/RADIUS protocols are inspected to verify they conform to the RFC and discarded if they do not.
4) If the IP address/hostname of the ACS server changes or new ones are added, the clients do not have to be updated with the new information. The ZoneRanger contains all the information on how to proxy the requests. The client devices only need to be configured to send their requests to the ZoneRanger.
5) Denial of services attacks on the ACS server can be mitigated by limiting the IP addresses that are allowed to make ACS requests. If a request is received by the ZoneRanger from an unauthorized source it is discarded.
6) Reliability of the login process is increased in the case of multiple ACS servers. If the ZoneRanger detects a server is no longer responding to requests, a new server is chosen as the destination for the requests.
7) ZoneRangers may be configured in a redundant manner with automatic failover with no configuration changes to the clients.

Secure TACACS+/RADIUS Processes

The ZoneRanger can also act as a TACACS+ or RADIUS client, using its own proxy service, so that authentication and authorization for access to the ZoneRanger’s own administration interfaces can also configured and monitored from centralized access control servers.

Contact Tavve Software today to see how you can use the ZoneRanger to simplify and secure your TACACS+/RADIUS processes and many other network management issues that leave your networks less secure than they should be.

Jeff Olson

TACACS+ and RADIUS are part of a growing suite of management protocols supported by ZoneRanger. Other supported protocols include:

  • FTP
  • ICMP
  • NetFlow / sFlow
  • NTP
  • SNMP
  • Syslog
  • Telnet / SSH
  • TFTP