Preventing Unauthorized Configuration Modifications

Problem

You want to ensure that only authorized devices can use SNMP and TFTP to send or receive configuration information.

Solution

You can use the snmp-server tftp-server-list configuration command to restrict which TFTP servers the router can use in response to an SNMP trigger to upload or download configuration information:

Router#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log  
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw 
Router(config)#end
Router#

Begin with IOS Version 12.3(2)T; support for standard named access lists was added:

Router2#configure terminal 
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TFTPACL 
Router2(config-std-nacl)#permit 172.25.1.1
Router2(config-std-nacl)#deny any log 
Router2(config-std-nacl)#exit
Router2(config)#snmp-server tftp-server-list TFTPACL
Router2(config)#snmp-server community ORARW rw 
Router2(config)#end
Router2#

 

Discussion

By default, the router will send or receive configuration information to any TFTP server. But this can be dangerous because the SNMP request that triggers these transfers cannot be 100 percent protected. Recipe 17.6 showed how you can restrict SNMP access to a specified list of devices. But because SNMP uses UDP, it is not difficult for a malicious user to put the IP address of one of these allowed devices in the source of an SNMP packet, which means that the router will execute the request. This packet could instruct the router to upload or download configuration information to or from any TFTP server. The attacker could then easily compromise the security of the entire network.

Therefore, we strongly recommend that you use the tftp-server-list command to restrict which TFTP servers your router will forward its configuration file to and which TFTP servers your router will accept configuration changes from.

It is important to note that this command only restricts TFTP sessions that the router initiates via SNMP. You can still use other TFTP servers for file transfers initiated from the router's command prompt.

If the access-list assigned to the tftp-server-list does not exist, then the router implicitly allows access for all TFTP servers.

The example authorizes the router to access only a single TFTP server. Notice that the access-list is designed to log all unauthorized attempts:

Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log  

We highly recommend doing this because it not only prevents unauthorized access, but it also gives you information about what devices have been involved in the attempts. If there are malicious users with access to you network, this can help you figure out who they are.

Note that this is a global command that affects all SNMP read-write community strings. There is no way to specify a different tftp-server-list for each community string.

See Also

Recipe 17.1; Recipe 17.6

Router Configuration and File Management

Router Management

User Access and Privilege Levels

TACACS+

IP Routing

RIP

EIGRP

OSPF

BGP

Frame Relay

Handling Queuing and Congestion

Tunnels and VPNs

Dial Backup

NTP and Time

DLSw

Router Interfaces and Media

Simple Network Management Protocol

Logging

Access-Lists

DHCP

NAT

First Hop Redundancy Protocols

IP Multicast

IP Mobility

IPv6

MPLS

Security

Appendix 1. External Software Packages

Appendix 2. IP Precedence, TOS, and DSCP Classifications

Index



Cisco IOS Cookbook
Cisco IOS Cookbook (Cookbooks (OReilly))
ISBN: 0596527225
EAN: 2147483647
Year: 2004
Pages: 505

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net