The UTM-1 Firewall
50 Check Point UTM-1 Edge User Guide
Table 19: Firewall Technologies and Passive FTP Connections
Firewall Technology Action
Packet Filter Packet filters can handle outbound FTP connections in either of the
following ways:
• By leaving the entire upper range of ports (greater
than 1023) open. While this allows the file transfer
session to take place over the dynamically allocated port,
it also exposes the internal network.
• By shutting down the entire upper range of ports.
While this secures the internal network, it also blocks
other services.
Thus packet filters' handling of Passive FTP comes at the expense
of either application support or security.
Application-Layer
Gateway (Proxy)
Application-layer gateways use an FTP proxy that acts as a go-
between for all client-server sessions.
This approach overcomes the limitations of packet filtering by
bringing application-layer awareness to the decision process;
however, it also takes a high toll on performance. In addition, each
service requires its own proxy (an FTP proxy for FTP sessions, an
HTTP proxy for HTTP session, and so on), and since the
application-layer gateway can only support a certain number of
proxies, its usefulness and scalability is limited. Finally, this
approach exposes the operating system to external threats.
To Next Page
Loading...
