Configuration file handling task list
86
SmartWare Software Configuration Guide
6 • Configuration file handling
startup-config
factory-config
Encrypted file download
This section explains how configuration files can be transported encrypted over IP.
TFTP as a configuration download mechanism has the advantage of being extremely simple (trivial) and appli-
cable in any network without any requirements for specialized management servers or applications. It has the
disadvantage of being completely insecure.
The security hole of downloading complete configurations—which may contain IP addresses, login names,
ect.—using TFTP becomes particularly pressing in combination with the auto-provisioning feature which
allows large scale distribution of configurations in entire networks.
To alleviate this problem and maintain the simplicity of TFTP downloads support for encrypted configuration
file downloads is introduced.
Goal:
Prevent maliciously intercepted configurations to be readable by unauthorized users.
Pre-requisites:
Only authorized users have configuration access to the SmartNode. The configurations can be
stored in plain form on the SmartNode. SNMP Write Access shall be restricted by means of communities and
ACLs to prevent unauthorized SNMP initiated configuration downloads. Telnet access shall be restricted by
means of credentials and ACLs.
Encrypted Configuration Download
An external encryption tool on the PC is used to encrypt the configuration file:
enctool encrypt <plain-config-file> <enc-config-file> [<key>]
The encrypted configuration file can then be downloaded with TFTP triggered by
•
The CLI copy command:
copy tftp://<host>/<path> <config-file>
•
Auto provisioning
•
SNMP
•
HTTP
On the SmartNode the encryption is detected and the configuration file is automatically decrypted before
stored to flash.
A custom encryption key can be:
•
Downloaded to the SmartNode
•
Specified with the PC encryption tool
The encryption key may include the MAC address and/or serial number of the SmartNode using the place-
holders $(system.mac) and $(system.serial) respectively.
An encrypted configuration file can be uploaded to a TFTP server on request, specifying the encrypted flag:
copy <config-file> tftp://<host>/<path> encrypted
On the PC the encryption tool can be used to decrypt the file: