Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

CWCS tftp service

Is there a way to configure who or what can or should have access to the built in tftp server on CW? The reason I ask is that our information security folks are seeing TFTP put requests from an internet IP address on their IDS sensors. I'm trying to figure out why.

Hall of Fame Super Silver

Re: CWCS tftp service

I don't think one can configure it on the server. tftp is notoriously insecure. SSH and SCP are better transport choice for remote access to your devices, but present challenges as not all platforms/images support them.

One suggestion would be to acl tftp at your network border. Is there ANY legitimate reason why tftp would be needed across a network demarcation? A "best practice" firewall would have a screening routers on the internal and external side of your proxy server which acl all but allowed protocols and ports (e.g., those services which are set up with proxies).

If that's not practical (or outside you span of control), how about an acl on the CW server's local default gateway (router)? Restrict tftp to address space that you manage.

Hope this helps, please rate helpful posts.

Cisco Employee

Re: CWCS tftp service

As a protocol TFTP is notoriously insecure (by design *grin*), but we do things in CiscoWorks Common Services and RME to make things a little more secure.

The Solaris TFTP service is run in 'secure' mode which means that a file must exist (even as a zero-K file) before you can place data on the TFTP server. Without this, someone could TFTP you several gig-sized core files and fill up your disk space.

In secure mode, we put a zero-K file in /tftpboot with a name like:


You have to know the exact name before you could drop any file on the server. Since the names aren't easily guessed, there some measure of security there.

We had to add a TFTP server to Windows 2000, but it operates in much the same way.

RCP or SCP are more secure (and possibly faster) transport protocols. If your devices support those and you're up to configuring it, they can also be effective.

CreatePlease to create content