[c-nsp] TACACS/ACS on the internet

Andrew Miehs andrew at 2sheds.de
Mon Aug 24 07:19:58 EDT 2015


Not dangerous at all.

So what is the public address that you are going to use? :)

Seriously, I wouldn't do it. These appliances contain your entire user
list and passwords. Not a great idea to have them directly available
for anyone from the Internet. Should there ever be a problem with the
way the ACS servers treat the incoming UDP traffic, your box will most
likely be compromised. The minimum I would do is drop a firewall/ (or
even server with ip-tables) and then have an additional rule
provisioned each time you provision a new ACS endpoint. And enable
logging - and monitor these logs.

It sounds as if you don't actually "need" to use a public address
based on your original spec, and are doing this to avoid possible
conflicts.

Do you have the possibility of disabling access from the Internet to
this address?

-- Andrew



On Mon, Aug 24, 2015 at 7:30 PM, Nick Cutting <ncutting at edgetg.co.uk> wrote:
> We are going to roll out TACACS soon, on an ACS appliance and I have hundreds (thousands?) of client devices that need to authenticate back to these appliances.
>
> We will most likely put this directly on a public address, to avoid address conflicts etc. on our "shared services" zone.
>
> Rather than maintain some monster ACL for all the client Public addresses that would need to be updated almost daily - how dangerous is it to just allow UDP port 49 to this device from any source?
> We are going to have to add each device to the ACS server anyway.
>
> Any suggestions welcome
>
> Nick Cutting | Network Engineer | ncutting at edgetg.co.uk
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list