TFTP server security options
SolarWinds does not recommend usage of Trivial File Transfer Protocol (TFTP) in KCT due to potential security vulnerabilities. If TFTP must be used, it is highly recommended to take precautions and limit its exposure
To set security options:
- Go to Options > Setup.
- Select the TFTP Server tab.
- Select the Security Options tab.
Global Read | Must be selected for information to be read from the TFTP server. |
Global Write | Must be selected for information to be written to the TFTP server. |
Use Access Lists |
List is used to ascertain the read and write permissions for the IP address in question. Access lists are subordinate to Global Read and Global Write. |
Access List Usage
There are five columns in the access list table:
- Inc|Ex IP Range: Determines whether the IP range specified is to have the Read and Write options applied to it (included), or is to be exempt (excluded) from the Read and Write options which are then applied to all addresses outside of the range.
- Exclude is useful for allowing only a limited range of IP's to be read or written to because everything outside of the excluded range will have the read/write settings applied to them.
- Start IP: Defines the start of the range of IP addresses to use.
- End IP: Defines the end of the range of IP addresses to use.
- Read and Write: When selected, reading or writing capability is allowed.
The information in the access list is evaluated in descending order until a match is found.
Access List Example
Incl|Ex IP Range | Start IP | End IP | Read | Write |
---|---|---|---|---|
Exclude | 192.168.1.1 | 192.168.1.100 | ||
Include | 192.168.1.60 | 192.168.1.60 |
- The first line in the access list is
EXCLUDE
. - Read and write properties are applied to all addresses outside of the range 192.168.1.1 – 192.168.1.100. In this case anything outside of the excluded range is unable to execute read or write commands on the TFTP server.
- Attempts to read or write from address 192.168.1.105 would fail.
- Attempts to read or write from address 192.168.1.98 would succeed.
- The second line in the access list is
INCLUDE
. - Read and write settings will be applied to addresses included in this range. In this case, the range is a single IP address.
- Attempts to read or write from 192.168.1.60 would fail.
Let us look at the steps that would be traversed if we tried to write to the TFTP server from address 192.168.1.60:
Global Write
is examined. IfGlobal Write
is selected, the process continues.Use access lists
is examined. IfUse access lists
is selected, the access list is checked.- The first row in the access list is examined.
192.168.1.60
is within the excluded range. Consequently, the read or write settings do not apply to it. - The process continues to the second row of the access lists.
- The address
192.168.1.60
is included in the range specified in this row. The write settings are applied, in this case, to not allow writing to the TFTP server.