Originally posted by: Kyne

I know that the NIM uses the bootpd (BOOT Protocol) and tftpd (Trivial File
Transfer Protocol) daemons (services).

Is it possible not to use the tftp ans use a more secure Protocol?

Thanks.
#AIX-Forum

Originally posted by: tony.evans

Not sure if you can use something other than TFTP, but I'm wondering which element of the security concerns you?
#AIX-Forum

Originally posted by: Kyne

In our organization, they don't want that we use tftp for "security reason"...

So if we want to use NIM , we have to find an alternative...
#AIX-Forum

Originally posted by: unixgrl

I'd like to hear the answer to this one. I've already had our security team disable tftp on my NIM servers per corporate policy. I've since received a waiver but our standards don't want to allow it.
#AIX-Forum

Originally posted by: Montecarlo

As far as I'm aware, when installing a system, the bootp and tftp requests are initiated by ethernet adapter microcode. There might not be enough space or intelligence in the microcode to run a smarter protocol.
Regards, Simon
#AIX-Forum

Originally posted by: shargus

We have the same problem here.

The only solution I can think of is to disable tftpd (and bootpd too) until you need it to boot a server across the network.
When you are done, turn it back off again.

It's only needed for the initial boot of the server across the network.
#AIX-Forum

Originally posted by: shargus

You might also look into ipsec to restrict tftp and bootp to just your AIX servers, if possible.
#AIX-Forum

Originally posted by: tony.evans

Yeh basically use bootps and tftp but use other tools to restrict access to them, to known sources.

bootps with NIM already does this to some extent, it won't respond unless there's anything in bootptab anyway. tftp you can use /etc/tftpaccess.ctl to limit the files it can be used to request which in my view makes it pretty secure anyway, but ipsec or other tools could further control that.
#AIX-Forum

Originally posted by: Montecarlo

I think that security may be overreacting as far as bootp and tftp are concerned.
What are the real risks?
By default, the /etc/tftpaccess.ctl only permits read access to the /tftpboot directory which contains boot images and scripts. Seeing that these files cannot be written by tftp (unless the default config has been changed) the biggest risk is some fairly trivial information leakage.
The bootpd daemon's behaviour is controlled by the /etc/bootptab file. Last time I checked, bootpd would ignore bootp requests from any mac address not in the bootptab. I've seen daemon.* syslog entries reporting bootp requests from hosts not in the bootptab when there were badly configured non-aix devices on the network. Typically these requests made little or no difference to the cpu usage of the bootpd daemon. Most of the syslog entries report "exiting after 15 minutes of inactivity".
I think that if the bad guys have access to your network that there are more fruitful attack targets than bootp and tftp services.
Regards, Simon
I'd be interested to hear what real risk bootp or tftp expose.
#AIX-Forum

Originally posted by: CRM

Security should be a balance between making something secure whilst still making it functionally usable.

Your security team will have to accept that TFTP and NFS are needed for installs, this is not just AIX as I understand it but the Solaris, Linux and other OS tools use exactly the same protocols.

If your security team are immovable on this then you may need to implement some compromise such as a dedicated management LAN that you can use for installs and restrict access to this using tcp wrappers or the IP filters in AIX 5.3 TL5 +.

I think the above poster has hit the reason for using TFTP, the bootp and other install activities are done in system firmware and there is not enough room to spin up a secure sftp or similar session.

It might be useful to work out how much the cost is between a manual install (travel, time etc) and a network install and present this to the security team for comment.

regards

Chris
#AIX-Forum

Originally posted by: unixgrl

I think we all know our security teams will have to accept tftp for netboot
servers. Operationally, however, if we can find another method they are happy with, everyone wins. My NIM server had tftp turned off via some automation run by the security team that I didn't have visibility too.

We're all just trying to avoid being hassled by security teams. Even when they agree
to waivers the automation they use to alert or auto-remediate doesn't know about the waivers.

If there is no alternative to tftp today, we just want to know that IBM is thinking about this in the future.
#AIX-Forum

Originally posted by: Montecarlo

The problem I have with a lot of security requirements is their validity.
As I said earlier, I don't see the real risk in running tftp or bootp. I'd really like to understand what security teams see as the risk inherent in running these two services on a nim server.
Does anyone have any information?
Regards, Simon
#AIX-Forum

Originally posted by: Kyne

And what about nimsh?

Does it exclude the use of tftp is we use nimsh? ...
#AIX-Forum

Originally posted by: tony.evans

nimsh is the protocol nim uses to control NIM clients.

Booting machines to be built from NIM or booting diskless machines still requires the use of bootps and tftp.

There isn't anyway to avoid those protocols that I'm aware of and I agree with other people that the security risks are probably minimal. However, more than ever these days, security is about appearing to be compliant rather than caring if your settings have any real impact, so the security bean counters just tell you turn stuff off without any real consideration of the impact.

There are tools to mitigate the impact of using those services which you can use to negotiate with the security folk, such as the tftp control file, ipfilters, etc., etc.

Booting clients on the network requires DHCP or BOOTPS, and booting from a shared resource requires TFTP, you just need to explain it to your security people in a way they understand.
#AIX-Forum

Originally posted by: eckertd

It's always a hard sell to the security/compliance folks. We came to an 'understanding' with ours to have a FW rule(s) that can be applied on-demand for short durations with no resistance. They agreed to open up the ports on a point-to-point basis, not opening the entire segment(s), and we agreed that they would only keep the rule in place for 10 days after enabling. A small price to pay to be able to get our work done.
#AIX-Forum

Originally posted by: dukessd

Fine, until you have a major DR rebuild on your hands at 3am on a Sunday morning, and then where will the security bods be? tucked up in bed with their pagers and mobile phones switched off.

Ensure you can escalate the problem to ensure you can open up the network on demand, security should not be the people holding the companies operational ability to ransom when it all goes wrong because of something like a power cut!
#AIX-Forum