At 10:17 AM 2/29/00 +0100, Jor wrote:
>Let me note that this problem is not Checkpoint FW-1 specific, rather
>a systematic problem with the PASV capabilities of the FTP protocol.
>
>All Stateful, FTP-PASV supporting firewalls are vulnerable, if they
>do not completly reconstruct and audit the FTP traffic (get a bunch of extra
>CPU's and GB RAM if you do ;-)
This is, by the way, one of the kinds of problems cited by those of us who
believe that stateful inspection firewalls are generally insufficient for
serious security. Every time you read marketing literature about how a
Firewall-1 firewall is "application aware" think about this. Every time you
read about all of the services that are "handled" by the firewall, think
about this. This is the sort of thing that is difficult to get right in a
packet screening firewall unless you are dedicated to rewriting TCP/IP in
the content filtering engine.
Everything is simpler and easier with a stateful inspection firewall,
including shooting oneself in the foot.
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
