User Manual Part 1
Table Of Contents
- Check Point Safe@Office User Guide 8.0
- Copyright & Trademarks
- Contents
- About This Guide
- Introduction
- About Your Check Point Safe@Office Appliance
- Safe@Office 500 Product Family
- Product Features
- Wireless Features
- Optional Security Services
- Software Requirements
- Getting to Know Your Safe@Office 500 Appliance
- Getting to Know Your Safe@Office 500W Appliance
- Getting to Know Your Safe@Office 500 ADSL Appliance
- Getting to Know Your Safe@Office 500W ADSL Appliance
- Contacting Technical Support
- Safe@Office Security
- Installing and Setting Up Safe@Office
- Getting Started
- Configuring the Internet Connection
- Managing Your Network
- Using Bridges
- Configuring High Availability
- Using Traffic Shaper
- Working with Wireless Networks
- Viewing Reports
- Viewing Logs
- Setting Your Security Policy
The Safe@Office Firewall
Chapter 2: Safe@Office Security 43
Table 14: Firewall Technologies and Passive FTP Connections
Firewall Technology Action
Packet Filter Packet filters can handle outbound FTP connections in either of the
following ways:
• By leaving the entire upper range of ports (greater than
1023) open. While this allows the file transfer session to
take place over the dynamically allocated port, it also
exposes the internal network.
• By shutting down the entire upper range of ports. While
this secures the internal network, it also blocks other
services.
Thus packet filters' handling of Passive FTP comes at the expense
of either application support or security.
Application-Layer
Gateway (Proxy)
Application-layer gateways use an FTP proxy that acts as a go-
between for all client-server sessions.
This approach overcomes the limitations of packet filtering by
bringing application-layer awareness to the decision process;
however, it also takes a high toll on performance. In addition, each
service requires its own proxy (an FTP proxy for FTP sessions, an
HTTP proxy for HTTP session, and so on), and since the
application-layer gateway can only support a certain number of
proxies, its usefulness and scalability is limited. Finally, this
approach exposes the operating system to external threats.