[c-nsp] TACACS/ACS on the internet

Enno Rey erey at ernw.de
Tue Aug 25 04:43:02 EDT 2015


On Mon, Aug 24, 2015 at 09:30:24AM +0000, Nick Cutting wrote:
> We are going to roll out TACACS soon, on an ACS appliance and I have hundreds (thousands?) of client devices that need to authenticate back to these appliances.
> We will most likely put this directly on a public address, to avoid address conflicts etc. on our "shared services" zone. 
> Rather than maintain some monster ACL for all the client Public addresses that would need to be updated almost daily - how dangerous is it to just allow UDP port 49 to this device from any source?

as another guy mentioned, Cisco ACS has a long history of security vulnerabilities (just some months ago this one: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150211-csacs). To the best of my knowledge none of the vulnerabilities of the last yrs affected TACACS/UDP port 49 itself though, but they were mostly affecting the web interface. From that angle it might be "doable", depending on your risk appetite.

You might keep two other things in mind: 
- exposing any UDP port to the Internet _might_ create abuse potential for reflection attacks. I don't remember TACACS(+) well enough to judge if one can create an amplification factor with unauthenticated initial packets.
- there have been "some recent advances" with regard to decoding and cracking/bruteforcing TACACS credentials from sniffed traffic, see https://www.insinuator.net/2015/06/tacacs-module-for-loki/. so depending on the path the TACACS traffic takes and on the quality of credentials there might be another attack vector to consider.



> We are going to have to add each device to the ACS server anyway.
> Any suggestions welcome
> Nick Cutting | Network Engineer | ncutting at edgetg.co.uk
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator

More information about the cisco-nsp mailing list