Virus.Org IT Security News and Information Portal. We offer the latest IT security news, updates, product reviews, books, and articles for all you IT security professionals out there. Enter and get the best IT security information on the Internet.

 
. Welcome to the Virus.Org Mailing List Archive  
.
.


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


Re: [FW-1] SSL over FTP
.

  • To: [EMAIL PROTECTED]
  • Subject: Re: [FW-1] SSL over FTP
  • From: Joe Pope <[EMAIL PROTECTED]>
  • Date: Thu, 24 Mar 2005 08:28:23 -0500
  • Reply-to: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
  • Sender: Mailing list for discussion of Firewall-1 <[EMAIL PROTECTED]>
  • Thread-index: AcUwNk9tGf0esX57R1aKtN8r9+cVQQAPyPTw
  • Thread-topic: [FW-1] SSL over FTP
.
 
I had this FTP Bounce problem with SSL FTP and here is what corrected
it:

These are happening due to the New FTP enforcement that prevents telnet
escape characters inside the FTP control session (binary 0xff).

Solution

To turn off telnet characters detection modify $FWDIR/lib/base.def on
the Management Server.
Procedure:
1) cpstop
2) Make a backup copy of the file and edit $FWDIR/lib/base.def.
3) Modify:
#define FTP_CHECK_ARGS (FTP_NO_CLIENT_227 | FTP_NO_TELNET_OPTIONS)
To:
#define FTP_CHECK_ARGS (FTP_NO_CLIENT_227)
6) cpstart
5) Install policy


-----Original Message-----
From: Mailing list for discussion of Firewall-1
[mailto:[EMAIL PROTECTED] On Behalf Of Raymond
N
Sent: Wednesday, March 23, 2005 6:48 PM
To: [EMAIL PROTECTED]
Subject: Re: [FW-1] SSL over FTP


Hmm, what you explained makes sense.  What version of NG AI are you
using? In my version (NG AI R55 hotfix 12), there is checkbox
(SmartDefence - AI -
FTP) for "FTP Bounce", and the only sub-configuration item is the
'track' option (e.g. log, alert, snmp trap, etc.).  I don't see if there
is options for "watch only".  Shall I just 'unckcik' FTP bounce?  Is
this a bad thing to do from the security point of view?

BTW, how come the log message said 'TELNET options bounce' instead of
'FTP Bounce'???

Thanks.

-raymond n

At 06:39 PM 3/22/05 -0800, cisco4ng wrote:
>What it means is that checkpoint tried to read the content inside the
>ftp
session; however,
>since the content is "encrypted" via SSL and checkpoint does not know
>or
how to decrypt it,
>it will think that this is an "attack" attempt.  If you go into
smartdefense and under the ftp, go
>into FTP bounce, and select "monitor only", your ftp over SSL will
>work.
>
>cisco4ng
>
>Raymond N <[EMAIL PROTECTED]> wrote:
>I am using NG AI R55 Hotfix-12 on Nokia platform.
>One of my users tries to do SSL over FTP with an external ftp server
>over the Internet. The connection failed even at the control session
>(i.e. no login prompt). Looking at the firewall log, the rule I have
>for outbound ftp shows the traffic is allowed, but at the "Information"

>column, it has a message about "Attack info: The packet was modified
>due to a potential TELNET OPTIONS Bounce attack".
>
>Can anyone tell me what this is? Again, the firewall log shows the
>traffic is 'permit', but the ftp control session is still failed.
>
>Thanks in advance for any info.
>
>-raymond
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>=================================================
>To set vacation, Out-Of-Office, or away messages,
>send an email to [EMAIL PROTECTED]
>in the BODY of the email add:
>set fw-1-mailinglist nomail
>=================================================
>To unsubscribe from this mailing list,
>please see the instructions at
>http://www.checkpoint.com/services/mailing.html
>=================================================
>If you have any questions on how to change your
>subscription options, email
>[EMAIL PROTECTED]
>=================================================
>
>

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================
 
.
.
 
Copyright (c) Virus.Org 1997-2006.
All Trademarks Acknowledged.
Please view our Terms and Conditions and our Privacy Policy.