Re: TFTP Get

[Rich Adamson <radamson () routers com>]

> Yes, tftp is unauthenticated. That alone is not grounds to call it "nasty", 
> as so are most http and smtp transactions.
>
> It is however nasty to use it for a situation that you want some security.. 
> such as using it to load configs into routers.. I'll agree that's a 
> gigantic flaw in cisco's routers that they even support tftp configuration, 

For those that haven't had to manage large numbers of routers, Cisco does
not implement a tftp _server_ function in its default router configuration 
(unlike Nortel, where this function has been implemented by default for 
years and a fair number of managers do not change it). Both companies give 
you plenty of rope to be able to hang yourself if you so choose.

Loading a Cisco config via tftp either requires that you know the router
login sequence, you have the snmp read-write community string necessary
to remotely request the config load, or, someone purposefully implemented 
the tftp server config.  All of which _should_ be limited by access lists
and/or other trevial security measures that have been documented for years.

If you think tftp is a bad idea, how about Nortel's approach using snmp
(via Site Manager) to config _everything_ using the Unreliable Data
Protocol (udp) and best-effort packet delivery, knowing full well that
a single missing snmp packet will hose the config.





-------------------------------------------------------
This SF.net email is sponsored by: Does your code think in ink? 
You could win a Tablet PC. Get a free Tablet PC hat just for playing. 
What are you waiting for?
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr5043en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users