TFTP server protection with Context-Based Access Control (CBAC)

From CT3

Jump to: navigation, search

By Ivan Pepelnjak

Symptom TFTP clients cannot access a TFTP server even though the access lists protecting the TFTP server allows traffic to and from UDP port 69.
Diagnosis Many TFTP servers use random UDP port numbers for individual TFTP sessions in accordance with sections 3 and 4 of RFC 1350 (TFTP misuses UDP port numbers as transfer identifiers).
Solution A regular IOS access list would have to permit UDP traffic to and from all high-numbered UDP ports on the TFTP server, resulting in an obvious security threat.

To protect the UDP server (or its clients), you should use CBAC with application-level inspection of TFTP packets (configured with ip inspect name rule tftp) or zone-based firewall configuration.

CBAC cannot inspect TFTP packets generated by the router on which CBAC is configured.
TFTP server in Cisco IOS does not use high-numbered UDP ports; all file transfers are initiated from server port 69.

Contents

Sample TFTP session setup

The following screenshots illustrate the TFTP UDP port usage of a standard Linux TFTP server. When the command copy running-configuration tftp://10.17.0.2/x is issued on a router, the following packet is sent to the TFTP server (UDP port 69):

Image:TFTP_Step_1.png

Linux TFTP server allocates a random UDP port and sends a reply from that port to the source port of the UDP request:

Image:TFTP_Step_2.png

Subsequent TFTP packets use the pair of random high-numbered UDP ports (one assigned by the client, the other one by the server) to transfer the file:

Image:TFTP_Step_3.png

Sample network topology

CBAC inspection of TFTP traffic will be illustrated in a simple network shown in the following figure. The TFTP client (IP address 10.17.0.10) will try to access the TFTP server (IP address 10.17.0.2).

Image:TFTP_Testbed.png

CBAC configuration with an outside server

If the TFTP server is attached to a segment that is less trusted than the segment of the TFTP client, you have to configure outbound CBAC:

  1. Configure CBAC rules with the ip inspect name global configuration command.
  2. Configure CBAC inspection of outbound traffic on the server segment with the ip inspect out interface configuration command.
  3. Configure an access list for return traffic from the TFTP server (an empty access list is used in the example).
  4. Filter inbound traffic on the server segment with the access list using the ip access-group in interface configuration command.

Configuration of the firewall router

no service timestamps debug uptime
service timestamps log datetime msec
!
hostname FW
!
ip cef
!
ip inspect name FW tftp
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic
!
interface FastEthernet0/0
 description Inside
 ip address 10.17.0.9 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Outside
 ip address 10.17.0.1 255.255.255.252
 ip access-group FW in
 ip inspect FW out
!
ip access-list extended FW
 deny   ip any any log
!
end 

You can debug the TFTP inspection with the debug ip inspect tftp command. When the client writes a file to the server, the router generates the following debugging messages:

CBAC TFTP debugging

TFTP DATA Channel 6564FE28 state SIS_OPENING
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : DATA, packet length : 516
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : DATA, packet length : 516
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : DATA, packet length : 516
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : DATA, packet length : 235
TFTP : Last data pkt seen
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP DATA Channel 6564FE28 state SIS_OPEN
TFTP Code : ACK
TFTP : removing sis extension 0x650365F8
FIREWALL sis 6564FE28 tftp-data L7 inspect result: PASS packet and close session 

To test the need for application-level TFTP inspection, remove the ip inspect name FW tftp global configuration command. The TFTP client can no longer access the TFTP server and the firewall router logs numerous dropped UDP packets, each one with a different UDP source port (the dropped packets are TFTP responses to the initial requests sent by the client).

00:05:20.547: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(54228) -> 10.17.0.10(59591), 1 packet 
00:05:23.555: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(41685) -> 10.17.0.10(59591), 1 packet 
00:05:27.531: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(40241) -> 10.17.0.10(59591), 1 packet 
00:05:32.555: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(56329) -> 10.17.0.10(59591), 1 packet 
00:05:38.539: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(40006) -> 10.17.0.10(59591), 1 packet 

CBAC configuration with an inside server

If you want to protect the TFTP server from its clients, you have to configure inbound CBAC:

  1. Configure CBAC rules with the ip inspect name global configuration command.
  2. Configure an access-list that permits UDP traffic to server’s TFTP port.
  3. Filter outbound traffic on the server segment with the access list using the ip access-group out interface configuration command.
  4. Configure CBAC inspection of inbound traffic on the server segment with the ip inspect in interface configuration command.

The firewall router configuration is shown in the following printout:

Configuration of the firewall router (TFTP server in protected segment)

no service timestamps debug uptime
service timestamps log datetime msec
no service password-encryption
!
hostname FW
!
ip cef
!
ip inspect name FW icmp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW tcp router-traffic
!
interface FastEthernet0/0
 description Client LAN
 ip address 10.17.0.9 255.255.255.252
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description Protected server
 ip dhcp client client-id FastEthernet0/1
 ip address 10.17.0.1 255.255.255.252
 ip access-group TFTP out
 ip inspect FW in
!
ip access-list extended TFTP
 permit udp any host 10.17.0.2 eq tftp
 deny   ip any any log
!
end 
When the firewall router protects the segment of the TFTP server, you don't need application-level inspection of the TFTP traffic, as the first UDP packet sent by the server creates a new UDP session.

Additional Resources  

Personal tools

CT3

Main menu