Preventing Unauthorized Configuration Modifications

Preventing Unauthorized Configuration Modifications

Problem

You want to ensure that only authorized devices can use SNMP and TFTP to send or receive configuration information.

Solution

You can use the snmp-server tftp-server-list configuration command to restrict which TFTP servers the router can use in response to an SNMP trigger to upload or download configuration information:

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log
Router(config)#snmp-server tftp-server-list 92
Router(config)#snmp-server community ORARW rw
Router(config)#end
Router#

Begin with IOS Version 12.3(2)T; support for standard named access lists was added:

Router2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router2(config)#ip access-list standard TFTPACL
Router2(config-std-nacl)#permit 172.25.1.1
Router2(config-std-nacl)#deny any log
Router2(config-std-nacl)#exit
Router2(config)#snmp-server tftp-server-list TFTPACL
Router2(config)#snmp-server community ORARW rw
Router2(config)#end
Router2#

Discussion

By default, the router will send or receive configuration information to any TFTP server. But this can be dangerous because the SNMP request that triggers these transfers cannot be 100 percent protected. Recipe 17.6 showed how you can restrict SNMP access to a specified list of devices. But because SNMP uses UDP, it is not difficult for a malicious user to put the IP address of one of these allowed devices in the source of an SNMP packet, which means that the router will execute the request. This packet could instruct the router to upload or download configuration information to or from any TFTP server. The attacker could then easily compromise the security of the entire network.

Therefore, we strongly recommend that you use the tftp-server-list command to restrict which TFTP servers your router will forward its configuration file to and which TFTP servers your router will accept configuration changes from.

It is important to note that this command only restricts TFTP sessions that the router initiates via SNMP. You can still use other TFTP servers for file transfers initiated from the router's command prompt.

If the access-list assigned to the tftp-server-list does not exist, then the router implicitly allows access for all TFTP servers.


The example authorizes the router to access only a single TFTP server. Notice that the access-list is designed to log all unauthorized attempts:

Router(config)#access-list 92 permit 172.25.1.1
Router(config)#access-list 92 deny any log

We highly recommend doing this because it not only prevents unauthorized access, but it also gives you information about what devices have been involved in the attempts. If there are malicious users with access to you network, this can help you figure out who they are.

Note that this is a global command that affects all SNMP read-write community strings. There is no way to specify a different tftp-server-list for each community string.

See Also