Re: Still no TFTP client?
- From: Mark Berryman <mark@xxxxxxxxxxxxxxxx>
- Date: Tue, 24 Apr 2007 13:51:04 -0600
Bob Koehler wrote:
In article <462dd4a2@xxxxxxxxxxxx>, Mark Berryman <mark@xxxxxxxxxxxxxxxx> writes:1. You know the full filename.So security depends on: name obscurity and lack of address spoofing.
2. You are coming from one of the addresses the TFTP server is willing to talk to.
IMHO the first is almost as good as password obscurity, but less
resistant to guessing and the latter is just a lack of effort on
the part of a hacker.
Not really. Remember, this is in an internal environment where the infrastructure is controlled. Spoofing addresses in this environment is about as close to impossible as one can get since no router on the network will accept a packet with a source address that is not legitimate for the interface the packet is entering. This means, among other things, that the addresses the TFTP server allows for communication with routers are not legitimate for any host and no host can reach the TFTP server trying to spoof one of those addresses.
Of course, that's better than no security. I've seen product which
provide a totaly insecure FTP service.
As have I. FTP requires a username and password to be exchanged in the clear. This usually means it is either a legitimate account on the system or anonymous FTP. If the former, you now have credentials that can be used to attack the host using several different methods. If the latter, you have the problem that most anonymous FTP servers are not set up to disallow the ability to get a directory listing. For the type of service under discussion, TFTP can be at least as, and possibly more, secure than FTP.
Show me anybody who attacks "security by obscurity" and I'll wonder
where they publish thier passwords.
Therein lies the challenge. Figure out what file(s) you can write to and what file(s) you can read from and I lose the bet. Otherwise, the claim that TFTP is so insecure that no one should ever use it becomes a little silly. (If someone wanted to claim that it should only be used carefully, that would be entirely different.)
So how many file names guesses do I get before the TFTP server goes
into evasion? I think we both know the answer.
Not too many, albeit more than just 1 or 2.
This is not meant to be hostile questioning, I just wanted to get the
facts straight and make sure there wasn't some hidden feature of TFTP
I hadn't tripped across.
The security features built into TFTP itself are pretty much as I listed in my original message (except that the name translation table can also be used to provide some filename security (to a small extent)). The rest is just standard network security.
Mark Berryman
.
- References:
- Re: Still no TFTP client?
- From: Bill Gunshannon
- Re: Still no TFTP client?
- From: Larry Kilgallen
- Re: Still no TFTP client?
- From: Bill Gunshannon
- Re: Still no TFTP client?
- From: Mark Berryman
- Re: Still no TFTP client?
- From: Bob Koehler
- Re: Still no TFTP client?
- From: Mark Berryman
- Re: Still no TFTP client?
- From: Bob Koehler
- Re: Still no TFTP client?
- Prev by Date: Re: New DCL qualifier suggestion.
- Next by Date: Re: Democrats destroying America ...
- Previous by thread: Re: Still no TFTP client?
- Next by thread: Re: Still no TFTP client?
- Index(es):
Relevant Pages
|
