[c-nsp] TACACS/ACS on the internet

Nick Cutting ncutting at edgetg.co.uk
Tue Aug 25 04:06:08 EDT 2015

Thanks James - The reason I cannot use any kind of RT/ BGP prefix list magic is that customers' networks are not in Vrf's.  We are far more of a hosting shop, with only a handful of customers using us for transit to their other sites.  We are a rocking a "1996 design model", with routing so scary that It would bend your bones.

It reminds me of this Ivan Pepelnjak quote " a network with multiple EIGRP processes (not an uncommon pre-MPLS/VPN solution; I did a network design along the same lines almost 20 years ago)."

We could get a public IP into the inside of the network without too much trouble.

For the ACL automation -are you using expect scripts / rancid or something more modern i.e a "cloudy orchestration puppet"

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of James Bensley
Sent: 25 August 2015 08:38
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] TACACS/ACS on the internet

On 24 August 2015 at 10:30, Nick Cutting <ncutting at edgetg.co.uk> wrote:
> We are going to roll out TACACS soon, on an ACS appliance and I have hundreds (thousands?) of client devices that need to authenticate back to these appliances.


> Rather than maintain some monster ACL for all the client Public addresses that would need to be updated almost daily - how dangerous is it to just allow UDP port 49 to this device from any source?

That sounds like a disaster waiting to happen.

My general two pence on this;

Firstly,  TACACS (ACS) is full of exploits that can be executed remotely over the web so this box could get rooted and then from there an attacker could create a new "fully privileged" account and jump on to the rest of your network

Secondly, without trying to sound like a massive twat, that ACL updates could be easily automated without too much headache, I would recommend this for all operations throughout the network anyway, so if you've not got a system like that in place the this could be your driving force to get that ball rolling

Thirdly, I can appreciate why you would want it on a public IP but only if that public IP lived "inside" the network net accessible from the Internet, but again, I can't see how pushing out new RTs to customer VRFs should be too difficult or add the require IP to a BGP prefix-list so from now on it gets included in advertisements (and whatever changes  are needed to push out a new management route) - this shouldn't be much of a struggle for a network operator (in my opinion).

Sorry if that seems a bit ranty but I really don't think it's a good idea.

cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list