[EMAIL PROTECTED] wrote:
>
> I assume (and have the logs to show it) that I'm being scanned and probed
> constantly. No, not every instant, but opening even small windows of
> opportunity is something I prefer not doing.
In that case why are you even using TFTP? There is still a short period
of time when the device is open. The only way to insure that "even a
small window" is not opened is to disconnect the device from the wire
first. Then it doesn't matter if you TFTP or Telnet.
IMHO you are talking about a difference in load time of milliseconds
(TFTP vs paste w/Telnet). Not enough to label this as "significant".
True we all get probed all the time, but what are the statistical
chances that an attacker will launch in that few millisecond difference
between TFTP and Telnet? Even then, enough of an exchange has to take
place to cause a problem (DoS, load a trojan, etc.). We're down to
theory vs. real world. In theory you are correct, in practice I would
love to hear about even one episode where using TFTP vs pasting access
lists through a Telnet session would have prevented an attack.
> As to whether a tftp (or rcp) config load is completely atomic, I cannot say
The functionality is identical. The difference is loading directly from
the device (TFTP) vs. over the wire (paste through Telnet). In both
cases you need to wipe the existing access lists and load the new ones.
The difference in load time will vary depending on your connect speed to
the device. For example an access list containing 200KB of data would
require an additional 22 ms to load (approximate based on current wire
utilization of a 10 Mb segment).
> But there is another more
> severe exposure with "conf term" that tftp doesn't have. From an old article of
> mine in comp.dcom.sys.cisco:
>
> When the first command is entered you perhaps no longer have any
> filters on some interface. This is possibly a security exposure
> (maybe only for a short time), but it doesn't prevent you from
> completing the config.
Same as above.
> When the second command is entered, you also now have the implicit
> "deny ip any any". This can be a session killer, including the telnet
> or tftp session being used to change the configuration.
This would kill Telnet but not TFTP. Also, this is a functionality
issue, not a security issue. If the router is dropping everything
(except maybe the first rule), there is no "exposure".
Don't get me wrong, I prefer TFTP to Telnet as well. Its a functionality
thing however, not a security thing.
Cheers,
Chris
--
**************************************
[EMAIL PROTECTED]
* Multiprotocol Network Design & Troubleshooting
http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet
* Mastering Network Security
http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
