Chris Brenton <[EMAIL PROTECTED]> wrote:
>[EMAIL PROTECTED] wrote:
>> I assume (and have the logs to show it) that I'm being scanned and probed
>> constantly. No, not every instant, but opening even small windows of
>> opportunity is something I prefer not doing.
>
>In that case why are you even using TFTP? There is still a short period
>of time when the device is open.
>
>> As to whether a tftp (or rcp) config load is completely atomic, I cannot say
>
>The functionality is identical. The difference is loading directly from
>the device (TFTP) vs. over the wire (paste through Telnet). In both
>cases you need to wipe the existing access lists and load the new ones.
I don't agree with you. I have evidence (already posted) that none of the
changes in a tftp-transferred take effect until they all take effect.
>> When the second command is entered, you also now have the implicit
>> "deny ip any any". This can be a session killer, including the telnet
>> or tftp session being used to change the configuration.
>
>This would kill Telnet but not TFTP.
Certainly it can kill a tftp session if the update is not atomic. Take this
list, applied to the inbound interface that your tftp session will be using:
no access-list 100
access-list 100 deny tcp any any eq 25
<possibly other commands>
access-list 100 permit udp host <tftp svr's addr> eq 69 host <router's addr>
If the config update is not simultaneous, as soon as the router activates the
second command the tftp session will die. I have actually seen this happen
(using telnet, not tftp). Yes, it's possible to reorder the list (in some
cases) so that you won't see the problem, but the unknowing administrator could
get burnt. Using tftp there is no problem; ergo, it is essentially atomic.
And if this hits you (losing most of perhaps a large access list), it clearly
could be a security issue, and not one that only exposes you for seconds.
Tony Rall
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
