> Someone has told me that there might be a bug in that release of FW-1
> dealing with
> FTP traffic and its "stateful packet firewall" feature, i.e., just when the
> FTP connection
> is about to be opened the Firewall must find out which port is being used
> for the data
> and open it. Could someone from the "outer world" make the FW-1 believe that
> a certain
> port is the one it is expecting and let the intruder use it? (I do not think
> it is an easy task
> to be accomplished, but there are quite a powerful tools "floating" out
> there and also people with
> a lot of spare time).
> Does an upgrde to next release solve the proble (if it exists)?. Any help
> would be appreciated.
Not yet. Checkpoint did release a patch for this issue, but that did
not fix the problem, only made it a litte bit more difficult to exploit.
The problem, however, does only exist if you run a FTP Server inside your
DMZ (i.e. behind your firewall) that the firewall should protect from
arbitary ports.
This attack can create statetable entries with remote address, remote
and local port and on FW-1 v3.x even with local address of the attackers
choice. FW-1 v4.x seems to limit local address to that of the FTP server.
The only workaround currntly available is to disable PASV FTP through your
firewall.
Note: if you do not run a PASV-supporting FTP server inside your DMZ or LAN, you are
not vulnerable from the outside.
(your internal users might still exploit this if you do not use a FTP proxy)
FTP proxies usually come bundled with HTTP proxies.
Let me note that this problem is not Checkpoint FW-1 specific, rather
a systematic problem with the PASV capabilities of the FTP protocol.
All Stateful, FTP-PASV supporting firewalls are vulnerable, if they
do not completly reconstruct and audit the FTP traffic (get a bunch of extra
CPU's and GB RAM if you do ;-)
If you offer file access service, consider forcing your clients to eigther
use non-pasv FTP (most advanced clients can do it) or use HTTP.
Or harden your FTP server (i.e. disable all other services/ports beside the ftpd)
[i do not claim eigther way is good, or even acceptable. but these are the
alternatives.]
> Thanks in advance,
Juergen.
--
Juergen P. Meier email: [EMAIL PROTECTED]
Class GmbH Firmengruppe phone: +49 172 8379103
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
