Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1036
Views
15
Helpful
2
Replies

CWCS tftp service

g.hammond
Level 1
Level 1

‎04-27-2006 07:22 AM

Is there a way to configure who or what can or should have access to the built in tftp server on CW? The reason I ask is that our information security folks are seeing TFTP put requests from an internet IP address on their IDS sensors. I'm trying to figure out why.

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-27-2006 07:39 AM

I don't think one can configure it on the server. tftp is notoriously insecure. SSH and SCP are better transport choice for remote access to your devices, but present challenges as not all platforms/images support them.

One suggestion would be to acl tftp at your network border. Is there ANY legitimate reason why tftp would be needed across a network demarcation? A "best practice" firewall would have a screening routers on the internal and external side of your proxy server which acl all but allowed protocols and ports (e.g., those services which are set up with proxies).

If that's not practical (or outside you span of control), how about an acl on the CW server's local default gateway (router)? Restrict tftp to address space that you manage.

Hope this helps, please rate helpful posts.

Jason Davis
Cisco Employee
Cisco Employee

‎04-27-2006 08:09 AM

As a protocol TFTP is notoriously insecure (by design *grin*), but we do things in CiscoWorks Common Services and RME to make things a little more secure.

The Solaris TFTP service is run in 'secure' mode which means that a file must exist (even as a zero-K file) before you can place data on the TFTP server. Without this, someone could TFTP you several gig-sized core files and fill up your disk space.

In secure mode, we put a zero-K file in /tftpboot with a name like:

device.cfg.###################

You have to know the exact name before you could drop any file on the server. Since the names aren't easily guessed, there some measure of security there.

We had to add a TFTP server to Windows 2000, but it operates in much the same way.

RCP or SCP are more secure (and possibly faster) transport protocols. If your devices support those and you're up to configuring it, they can also be effective.

Customers Also Viewed These Support Documents