< Home

Managing Files Using TFTP

Overview

TFTP transmits data in cleartext and does not provide authorization and authentication functions, posing security risks and leaving the device vulnerable to network viruses and attacks. To mitigate these risks, take the following measures:

  • Impose application limitations.

    TFTP does not support authentication and is an insecure file transfer protocol. Therefore, devices can function only as TFTP clients, and cannot function as TFTP servers.

    As managing TFTP clients requires level-3 management commands, only users with management rights can perform operations on device files through TFTP.

  • Configure TFTP server ACL rules.

    You can configure TFTP server ACL rules in the system view to limit the IP addresses of TFTP servers that can access the corresponding device.

  • Configure source interfaces.

    You can configure the source interfaces supported by the TFTP client to limit the access range and improve device security.

Impact on the System

None

Procedure

  • Configure TFTP access control.
    1. In the ACL view, configure ACL rules to control the TFTP servers that can access the local device.

      system-view
acl [ number ] acl-number
rule [ rule-id  ] { deny | permit } protocol [ destination { destination-ip-address destination-wildcard | any } | source { source-ip-address source-wildcard | any } | time-range time-name | dscp dscp ]
quit

    2. Apply the preceding ACL rules.

      tftp-server [ ipv6 ] acl acl-number

  • Configure source interfaces.

    tftp client-source { -a source-ip-address | -i interface-type interface-number }

Checking the Security Hardening Result

Run the display tftp-client command to check the configuration of the TFTP client.

Parent Topic: File System Management Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic