Preventing Unauthorized Configuration Modifications
Problem
You want to ensure that only authorized devices can use SNMP and TFTP to send or receive configuration information.
Solution
You can use the snmp-server tftp-server-list configuration command to restrict which TFTP servers the router can use in response to an SNMP trigger to upload or download configuration information:
Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#access-list 92 permit 172.25.1.1 Router(config)#access-list 92 deny any log Router(config)#snmp-server tftp-server-list 92 Router(config)#snmp-server community ORARW rw Router(config)#end Router#
Begin with IOS Version 12.3(2)T; support for standard named access lists was added:
Router2#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router2(config)#ip access-list standard TFTPACL Router2(config-std-nacl)#permit 172.25.1.1 Router2(config-std-nacl)#deny any log Router2(config-std-nacl)#exit Router2(config)#snmp-server tftp-server-list TFTPACL Router2(config)#snmp-server community ORARW rw Router2(config)#end Router2#
Discussion
By default, the router will send or receive configuration information to any TFTP server. But this can be dangerous because the SNMP request that triggers these transfers cannot be 100 percent protected. Recipe 17.6 showed how you can restrict SNMP access to a specified list of devices. But because SNMP uses UDP, it is not difficult for a malicious user to put the IP address of one of these allowed devices in the source of an SNMP packet, which means that the router will execute the request. This packet could instruct the router to upload or download configuration information to or from any TFTP server. The attacker could then easily compromise the security of the entire network.
Therefore, we strongly recommend that you use the tftp-server-list command to restrict which TFTP servers your router will forward its configuration file to and which TFTP servers your router will accept configuration changes from.
It is important to note that this command only restricts TFTP sessions that the router initiates via SNMP. You can still use other TFTP servers for file transfers initiated from the router's command prompt.
|
The example authorizes the router to access only a single TFTP server. Notice that the access-list is designed to log all unauthorized attempts:
Router(config)#access-list 92 permit 172.25.1.1 Router(config)#access-list 92 deny any log
We highly recommend doing this because it not only prevents unauthorized access, but it also gives you information about what devices have been involved in the attempts. If there are malicious users with access to you network, this can help you figure out who they are.
Note that this is a global command that affects all SNMP read-write community strings. There is no way to specify a different tftp-server-list for each community string.
See Also
Recipe 17.1; Recipe 17.6