|
|
Multiple Firewall Vendor FTP "ALG" Client Vulnerability
Solution: Checkpoint has suggested taking one of the following actions in response to the problem outlined: o Only allow outbound FTP to trusted servers by constraining the rule base, specifically the destination machine(s). For example: " localnets trusted_ftp_sites ftp accept". o Disallow outbound FTP through Port 21 and force all FTPs to occur via HTTP. For FireWall-1 users, this forces browser FTP traffic to the HTTP Security Server which disallows embedded non-printable characters in the URL. To implement, administrators need to set a browser's HTTP proxy to be the FireWall-1 system and create a HTTP resource rule that allows outbound connectivity. This approach blocks general outbound non-PASV FTP. o Disallow non-PASV FTP. This can be accomplished in one of two ways: unchecking the "Enable FTP Port Command Processing" in the Services Tab of the Properties item; or use the FTP Security Server and configure to not pass PORT commands (the Properties setting takes precedence over the Security Server, in cases of conflicting settings). Note: either of these two settings disables non-PASV FTP in either direction, Check Point hopes to lift this bi-directionality restriction in a subsequent service pack. o Weeding "ftp://" and PORT references out of all HTTP and SMTP data streams. This will eliminate the two most likely sources for clients to receive malicious HTML code. This does not eliminate hostile applets, but FireWall-1 does support stripping ActiveX and Java that can also be applied to HTTP traffic. Please note, this weeding will not work against encrypted or special encoded HTTP or SMTP datastreams. The ability to perform weeding of FTP and PORT references within HTTP and SMTP data stream was delivered in Service Pack 6 of FireWall-1 4.0 and in Hot Fix 1 of FireWall-1 4.1 Service Pack 1. For implementation documention, please consult the Service Pack or Hot Fix release notes. Check Point Software Firewall-1 4.0
|
|
Privacy Statement |