[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwtk-users
Subject:    Re: ftp-gw on dmz zone of Checkpoint Firewall
From:       Rick Murphy <rmurphy () itm-inst ! com>
Date:       2001-02-21 4:52:46
[Download RAW message or body]

[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]

At 09:30 PM 2/20/01 -0500, Ted Keller wrote:
 >[To be removed from this list send the message "unsubscribe fwtk-users" in the
 >BODY of a mail message to majordomo@ex.tis.com.]
 >
 >Rick,
 >
 >You force me to think!  I suspect fix 1 did actually resolve my problem.
 >It may not be the best general solution...

Now that you point out the picture, that's a good possibility - that fix is 
much lower risk.


 >Can you point me to some information regarding the Dug Song findings?

I'll see if I can dig up a reference off securityfocus.com; basically, with 
Firewall-1 you could arrange a FTP server to send text containing an 
embedded newline followed by the text "PORT ....." - that would cause the 
firewall to open the port mentioned in the banner string. All you've got to 
do is own a FTP server someone's going to through a FW-1 box.

My basic problem is that this change removes a fix for a security hole in 
the firewall. There should be some warnings about the consequences of 
turning this off.
(The Compaq problem actually is a limitation of the newline patch - any FTP 
site with a long banner message won't work unless you turn the fix off.)
          -Rick

[prev in list] [next in list] [prev in thread] [next in thread]