[c-nsp] TACACS/ACS on the internet

Nick Cutting ncutting at edgetg.co.uk
Mon Aug 24 07:37:52 EDT 2015 

I would prefer a public address, routed internally (through lots of RFC1918 addresses) via a crazy assortment of VPNs/ P2P links/ cross connects etc. - but I would have to advertise this IP internally to so many devices, and I don’t have the luxury of easily changing shared-services route targets -> client VRF's, (no Vrf's except on some tunnels) so if going internally would have to use the current SS which is RFC1918.  

Over the internet - can use ACL's on routers (yuck) due to  the where the address space I want to use sits, might have to use a transparent firewall.

Thanks for your response - I think I'll get a firewall in there and right some bullet proof procedures.

-----Original Message-----
From: Andrew Miehs [mailto:andrew at 2sheds.de] 
Sent: 24 August 2015 12:20
To: Nick Cutting
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] TACACS/ACS on the internet

Not dangerous at all.

So what is the public address that you are going to use? :)

Seriously, I wouldn't do it. These appliances contain your entire user list and passwords. Not a great idea to have them directly available for anyone from the Internet. Should there ever be a problem with the way the ACS servers treat the incoming UDP traffic, your box will most likely be compromised. The minimum I would do is drop a firewall/ (or even server with ip-tables) and then have an additional rule provisioned each time you provision a new ACS endpoint. And enable logging - and monitor these logs.

It sounds as if you don't actually "need" to use a public address based on your original spec, and are doing this to avoid possible conflicts.

Do you have the possibility of disabling access from the Internet to this address?

-- Andrew



On Mon, Aug 24, 2015 at 7:30 PM, Nick Cutting <ncutting at edgetg.co.uk> wrote:
> We are going to roll out TACACS soon, on an ACS appliance and I have hundreds (thousands?) of client devices that need to authenticate back to these appliances.
>
> We will most likely put this directly on a public address, to avoid address conflicts etc. on our "shared services" zone.
>
> Rather than maintain some monster ACL for all the client Public addresses that would need to be updated almost daily - how dangerous is it to just allow UDP port 49 to this device from any source?
> We are going to have to add each device to the ACS server anyway.
>
> Any suggestions welcome
>
> Nick Cutting | Network Engineer | ncutting at edgetg.co.uk
>
>
>
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net 
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list