[prev in list] [next in list] [prev in thread] [next in thread]
List: fwtk-users
Subject: Re: ftp-gw on dmz zone of Checkpoint Firewall
From: Rick Murphy <rmurphy () itm-inst ! com>
Date: 2001-02-21 4:52:46
[Download RAW message or body]
[To be removed from this list send the message "unsubscribe fwtk-users" in the
BODY of a mail message to majordomo@ex.tis.com.]
At 09:30 PM 2/20/01 -0500, Ted Keller wrote:
>[To be removed from this list send the message "unsubscribe fwtk-users" in the
>BODY of a mail message to majordomo@ex.tis.com.]
>
>Rick,
>
>You force me to think! I suspect fix 1 did actually resolve my problem.
>It may not be the best general solution...
Now that you point out the picture, that's a good possibility - that fix is
much lower risk.
>Can you point me to some information regarding the Dug Song findings?
I'll see if I can dig up a reference off securityfocus.com; basically, with
Firewall-1 you could arrange a FTP server to send text containing an
embedded newline followed by the text "PORT ....." - that would cause the
firewall to open the port mentioned in the banner string. All you've got to
do is own a FTP server someone's going to through a FW-1 box.
My basic problem is that this change removes a fix for a security hole in
the firewall. There should be some warnings about the consequences of
turning this off.
(The Compaq problem actually is a limitation of the newline patch - any FTP
site with a long banner message won't work unless you turn the fix off.)
-Rick
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic