What alternatives exist to using TFTP in setupHow do you find what process is holding a file open in...
Why does Kotter return in Welcome Back Kotter
prove that the matrix A is diagonalizable
Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?
Does a druid starting with a bow start with no arrows?
Western buddy movie with a supernatural twist where a woman turns into an eagle at the end
Why is the 'in' operator throwing an error with a string literal instead of logging false?
Combinations of multiple lists
Brothers & sisters
Is it possible to download Internet Explorer on my Mac running OS X El Capitan?
Fully-Firstable Anagram Sets
Neighboring nodes in the network
Is it unprofessional to ask if a job posting on GlassDoor is real?
Arrow those variables!
What is the PIE reconstruction for word-initial alpha with rough breathing?
Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?
Why does Arabsat 6A need a Falcon Heavy to launch
How to prevent "they're falling in love" trope
Alternative to sending password over mail?
Etiquette around loan refinance - decision is going to cost first broker a lot of money
What does it mean to describe someone as a butt steak?
What exploit are these user agents trying to use?
Blender 2.8 I can't see vertices, edges or faces in edit mode
How much of data wrangling is a data scientist's job?
What killed these X2 caps?
What alternatives exist to using TFTP in setup
How do you find what process is holding a file open in Windows?Reasonably Secure Alternative to Poptop PPTP Server for Ubuntu server and Windows clients?Windows TFTP Server Recomendations?Windows Filtering Platform blocking packets from workstations on a Domain ControllerPXE-E32 TFTP Open Timeout While Attempting to PXE Boot from Windows Deployment ServicesBoot and/or synchronise linux image from networkTFTP/PXE with the foremanConfigMgr - Really really slow PXE boot between Hyper-V machinesDownloading with U-Boot's tftp randomly times outWDS 2012 R2 Server
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini
. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini
. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
In the beginning of your post you sound like you want to exchange theTFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTP
without replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini
. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
I'm looking for a way to set up clients in a network and have used TFTP so far. Messing around with the server I was able to do a path traversal with something similar like GET asdf/../../../../windows/win.ini
. For this and other security considerations I'd like to to switch to something more secure.
As far as I know, setting up clients with PXE over the network always uses DHCP and TFTP to download the images. I've seen the possibility to run TFTP service in a chrooted environment or filter incoming traffic on port 69 to make it more secure. I'm not too fond of this, because I'm think there should be a better than deactivating the service or filtering traffic. Also it'd be nice to get away from TFTP completely. Are there any other alternatives under Windows?
windows tftp
windows tftp
edited Feb 22 '13 at 12:09
user857990
asked Feb 22 '13 at 8:13
user857990user857990
187211
187211
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
In the beginning of your post you sound like you want to exchange theTFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTP
without replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
In the beginning of your post you sound like you want to exchange theTFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTP
without replacing it. What do you want to do?
– replay
Feb 22 '13 at 8:50
If there is a solution that I can makeTFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)
– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
In the beginning of your post you sound like you want to exchange the
TFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP
without replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
In the beginning of your post you sound like you want to exchange the
TFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secure TFTP
without replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
If there is a solution that I can make
TFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
If there is a solution that I can make
TFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43
add a comment |
1 Answer
1
active
oldest
votes
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot
solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot
solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot
solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot
solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
what is the security concern?
Is your concern the TFTP server might get hacked and the system abused for something else?
Then something like a chroot
solution would make the most sense.
Is your concern the TFTP server might get hacked and the images that it distributes are getting modified? Then the best thing to do would be to run the TFTP server process as a user which has no filesystem permissions to modify these image files. Furthermore, many TFTP servers can be started in read only mode.
Or is your concern that somebody else is going to put a DHCP server in your network and starts distributing his own images via TFTP to your clients? Then you will probably need to think about using another solution than pixie boot.
You also talk about filtering traffic. I think the question if filtering make sense or not depends heavily on your case. if you have only a limited amount of valid clients, you can probably create something like a whitelist of IPs that can connect in iptables. Otherwise, if you have more like millions of clients (f.e. an ISP distributing ROMs for modems), filtering will be harder.
answered Feb 22 '13 at 9:16
replayreplay
2,712915
2,712915
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar likeGET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.
– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like
GET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.– user857990
Feb 22 '13 at 11:38
read/write permission is a valid point. Messing around with the server I was able to do a path traversal with something similar like
GET asdf/../../../../windows/win.ini
, which is actually my concern and what I would like to prevent.– user857990
Feb 22 '13 at 11:38
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
It would probably be possible to prevent such things via some settings in the TFTP server. But the absolute safest way to prevent this from happening is to put it into a chroot.
– replay
Feb 22 '13 at 11:52
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
I edited my orginal question. Hope it makes things clearer.
– user857990
Feb 22 '13 at 12:13
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f481399%2fwhat-alternatives-exist-to-using-tftp-in-setup%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
In the beginning of your post you sound like you want to exchange the
TFTP
protocol with a more secure solution. later in the post you sound like you are only looking for a way to secureTFTP
without replacing it. What do you want to do?– replay
Feb 22 '13 at 8:50
If there is a solution that I can make
TFTP
more secure I'm happy. If there is a solution that uses a more secure protocoll I'd be happier. :)– user857990
Feb 22 '13 at 9:04
What are the assets you are trying to protect, and what are the threats you are trying to protect them from?
– Michael Hampton♦
Feb 22 '13 at 11:27
@MichaelHampton Just commented on the answer below.
– user857990
Feb 22 '13 at 11:40
1
Welcome to Server Fault. It's better to edit your question when providing additional details, as many people will not see the comments (e.g. on the mobile site) or will skip over them. Editing also bumps your question to the top of the homepage again, while leaving a comment does not.
– Michael Hampton♦
Feb 22 '13 at 11:43