Is there a way to configure who or what can or should have access to the built in tftp server on CW? The reason I ask is that our information security folks are seeing TFTP put requests from an internet IP address on their IDS sensors. I'm trying to figure out why.
I don't think one can configure it on the server. tftp is notoriously insecure. SSH and SCP are better transport choice for remote access to your devices, but present challenges as not all platforms/images support them.
One suggestion would be to acl tftp at your network border. Is there ANY legitimate reason why tftp would be needed across a network demarcation? A "best practice" firewall would have a screening routers on the internal and external side of your proxy server which acl all but allowed protocols and ports (e.g., those services which are set up with proxies).
If that's not practical (or outside you span of control), how about an acl on the CW server's local default gateway (router)? Restrict tftp to address space that you manage.
As a protocol TFTP is notoriously insecure (by design *grin*), but we do things in CiscoWorks Common Services and RME to make things a little more secure.
The Solaris TFTP service is run in 'secure' mode which means that a file must exist (even as a zero-K file) before you can place data on the TFTP server. Without this, someone could TFTP you several gig-sized core files and fill up your disk space.
In secure mode, we put a zero-K file in /tftpboot with a name like:
You have to know the exact name before you could drop any file on the server. Since the names aren't easily guessed, there some measure of security there.
We had to add a TFTP server to Windows 2000, but it operates in much the same way.
RCP or SCP are more secure (and possibly faster) transport protocols. If your devices support those and you're up to configuring it, they can also be effective.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...