Manualshelf

User guide

ManualsBrandsCheck Point Software Technologies ManualsNetworkingSafe@Office 1000NW
919293949596979899100
The Safe@Office Firewall
82 Check Point Safe@Office User Guide
FTP client-server communication. The following table examines how different firewall
technologies handle this challenge:
Table 25: Firewall Technologies and Passive FTP Connections
Firewall Technology
Action
Packet Filter Packet filters can handle outbound FTP connections in either of the
following ways:
By leaving the entire upper range of ports (greater than
1023) open. While this allows the file transfer session to
take place over the dynamically allocated port, it also
exposes the internal network.
By shutting down the entire upper range of ports. While
this secures the internal network, it also blocks other
services.
Thus packet filters' handling of Passive FTP comes at the expense of
either application support or security.
Application-Layer Gateway
(Proxy)
Application-layer gateways use an FTP proxy that acts as a go-
between for all client-server sessions.
This approach overcomes the limitations of packet filtering by bringing
application-layer awareness to the decision process; however, it also
takes a high toll on performance. In addition, each service requires its
own proxy (an FTP proxy for FTP sessions, an HTTP proxy for HTTP
session, and so on), and since the application-layer gateway can only
support a certain number of proxies, its usefulness and scalability is
limited. Finally, this approach exposes the operating system to
external threats.