TFTP server protection with Context-Based Access Control (CBAC)
From CT3
| Symptom | TFTP clients cannot access a TFTP server even though the access lists protecting the TFTP server allows traffic to and from UDP port 69. |
| Diagnosis | Many TFTP servers use random UDP port numbers for individual TFTP sessions in accordance with sections 3 and 4 of RFC 1350 (TFTP misuses UDP port numbers as transfer identifiers). |
| Solution | A regular IOS access list would have to permit UDP traffic to and from all high-numbered UDP ports on the TFTP server, resulting in an obvious security threat.
To protect the UDP server (or its clients), you should use CBAC with application-level inspection of TFTP packets (configured with ip inspect name rule tftp) or zone-based firewall configuration. |
Contents |
Sample TFTP session setup
The following screenshots illustrate the TFTP UDP port usage of a standard Linux TFTP server. When the command copy running-configuration tftp://10.17.0.2/x is issued on a router, the following packet is sent to the TFTP server (UDP port 69):
Linux TFTP server allocates a random UDP port and sends a reply from that port to the source port of the UDP request:
Subsequent TFTP packets use the pair of random high-numbered UDP ports (one assigned by the client, the other one by the server) to transfer the file:
Sample network topology
CBAC inspection of TFTP traffic will be illustrated in a simple network shown in the following figure. The TFTP client (IP address 10.17.0.10) will try to access the TFTP server (IP address 10.17.0.2).
CBAC configuration with an outside server
If the TFTP server is attached to a segment that is less trusted than the segment of the TFTP client, you have to configure outbound CBAC:
- Configure CBAC rules with the ip inspect name global configuration command.
- Configure CBAC inspection of outbound traffic on the server segment with the ip inspect out interface configuration command.
- Configure an access list for return traffic from the TFTP server (an empty access list is used in the example).
- Filter inbound traffic on the server segment with the access list using the ip access-group in interface configuration command.
Configuration of the firewall router
no service timestamps debug uptime service timestamps log datetime msec ! hostname FW ! ip cef ! ip inspect name FW tftp ip inspect name FW icmp router-traffic ip inspect name FW udp router-traffic ip inspect name FW tcp router-traffic ! interface FastEthernet0/0 description Inside ip address 10.17.0.9 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 description Outside ip address 10.17.0.1 255.255.255.252 ip access-group FW in ip inspect FW out ! ip access-list extended FW deny ip any any log ! end
You can debug the TFTP inspection with the debug ip inspect tftp command. When the client writes a file to the server, the router generates the following debugging messages:
CBAC TFTP debugging
TFTP DATA Channel 6564FE28 state SIS_OPENING TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : DATA, packet length : 516 TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : DATA, packet length : 516 TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : DATA, packet length : 516 TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : DATA, packet length : 235 TFTP : Last data pkt seen TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP DATA Channel 6564FE28 state SIS_OPEN TFTP Code : ACK TFTP : removing sis extension 0x650365F8 FIREWALL sis 6564FE28 tftp-data L7 inspect result: PASS packet and close session
To test the need for application-level TFTP inspection, remove the ip inspect name FW tftp global configuration command. The TFTP client can no longer access the TFTP server and the firewall router logs numerous dropped UDP packets, each one with a different UDP source port (the dropped packets are TFTP responses to the initial requests sent by the client).
00:05:20.547: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(54228) -> 10.17.0.10(59591), 1 packet 00:05:23.555: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(41685) -> 10.17.0.10(59591), 1 packet 00:05:27.531: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(40241) -> 10.17.0.10(59591), 1 packet 00:05:32.555: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(56329) -> 10.17.0.10(59591), 1 packet 00:05:38.539: %SEC-6-IPACCESSLOGP: list FW denied udp 10.17.0.2(40006) -> 10.17.0.10(59591), 1 packet
CBAC configuration with an inside server
If you want to protect the TFTP server from its clients, you have to configure inbound CBAC:
- Configure CBAC rules with the ip inspect name global configuration command.
- Configure an access-list that permits UDP traffic to server’s TFTP port.
- Filter outbound traffic on the server segment with the access list using the ip access-group out interface configuration command.
- Configure CBAC inspection of inbound traffic on the server segment with the ip inspect in interface configuration command.
The firewall router configuration is shown in the following printout:
Configuration of the firewall router (TFTP server in protected segment)
no service timestamps debug uptime service timestamps log datetime msec no service password-encryption ! hostname FW ! ip cef ! ip inspect name FW icmp router-traffic ip inspect name FW udp router-traffic ip inspect name FW tcp router-traffic ! interface FastEthernet0/0 description Client LAN ip address 10.17.0.9 255.255.255.252 duplex auto speed auto ! interface FastEthernet0/1 description Protected server ip dhcp client client-id FastEthernet0/1 ip address 10.17.0.1 255.255.255.252 ip access-group TFTP out ip inspect FW in ! ip access-list extended TFTP permit udp any host 10.17.0.2 eq tftp deny ip any any log ! end
BlogMarks
del.icio.us
digg
Facebook
LinkedIn
Newsvine
reddit
Slashdot