Previous section   Next section

Recipe 17.11 Preventing Unauthorized Configuration Modifications

17.11.1 Problem

You want to ensure that only authorized devices can use SNMP and TFTP to send or receive configuration information.

17.11.2 Solution

You can use the snmp-server tftp-server-list configuration command to restrict which TFTP servers the router can use in response to an SNMP trigger to upload or download configuration information:

Router#configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log        
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw 
Router(config)#end
Router#

17.11.3 Discussion

By default, the router will send or receive configuration information to any TFTP server. But this can be dangerous because the SNMP request that triggers these transfers cannot be 100% protected. Recipe 17.5 showed how you can restrict SNMP access to a specified list of devices. But, because SNMP uses UDP, it is not difficult for a malicious user to put the IP address of one of these allowed devices in the source of an SNMP packet, which will cause the router to execute the request. This packet could instruct the router to upload or download configuration information to or from any TFTP server. The attacker could then easily compromise the security of the entire network.

Therefore, we strongly recommend that you use the tftp-server-list command to restrict the TFTP servers to which your router will forward its configuration file and the TFTP servers from which your router will accept configuration changes.

It is important to note that this command restricts only TFTP sessions that the router initiates via SNMP. You can still use other TFTP servers for file transfers initiated from the router's command prompt.

If the access list assigned to the tftp-server-list does not exist, the router implicitly allows access for all TFTP servers.

The example authorizes the router to access only a single TFTP server. Note that the access list is designed to log all unauthorized attempts:

Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log 

We highly recommend doing this because it not only prevents unauthorized access, but it also gives you information about what devices have been involved in the attempts. If there are malicious users with access to your network, this can help you to figure out who they are.

Note that this is a global command that affects all SNMP read-write community strings. There is no way to specify a different tftp-server-list for each community string.

17.11.4 See Also

Recipe 17.1; Recipe 17.5


  Previous section   Next section
Top