Patton electronic SmartNode 4110 Series Encrypted file download, Encrypted Configuration Download

startup-config factory-config

Encrypted file download

This section explains how configuration files can be transported encrypted over IP.

TFTP as a configuration download mechanism has the advantage of being extremely simple (trivial) and appli- cable in any network without any requirements for specialized management servers or applications. It has the disadvantage of being completely insecure.

The security hole of downloading complete configurations—which may contain IP addresses, login names, ect.—using TFTP becomes particularly pressing in combination with the auto-provisioning feature which allows large scale distribution of configurations in entire networks.

To alleviate this problem and maintain the simplicity of TFTP downloads support for encrypted configuration file downloads is introduced.

Goal: Prevent maliciously intercepted configurations to be readable by unauthorized users.

Pre-requisites:Only authorized users have configuration access to the SmartNode. The configurations can be stored in plain form on the SmartNode. SNMP Write Access shall be restricted by means of communities and ACLs to prevent unauthorized SNMP initiated configuration downloads. Telnet access shall be restricted by means of credentials and ACLs.

Encrypted Configuration Download

An external encryption tool on the PC is used to encrypt the configuration file:

enctool encrypt <plain-config-file> <enc-config-file> [<key>]

The encrypted configuration file can then be downloaded with TFTP triggered by

•The CLI copy command: copy tftp://<host>/<path> <config-file>

•Auto provisioning

•SNMP

•HTTP

On the SmartNode the encryption is detected and the configuration file is automatically decrypted before stored to flash.

A custom encryption key can be:

•Downloaded to the SmartNode

•Specified with the PC encryption tool

The encryption key may include the MAC address and/or serial number of the SmartNode using the place- holders $(system.mac) and $(system.serial) respectively.

An encrypted configuration file can be uploaded to a TFTP server on request, specifying the encrypted flag:

copy <config-file> tftp://<host>/<path> encrypted

On the PC the encryption tool can be used to decrypt the file: