RE: [fw-wiz] Active to Passive FTP translator?

From: Scott, Richard (Richard.Scott@BestBuy.com)
Date: 11/26/02

• Next message: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
• Previous message: Paul D. Robertson: "RE: [fw-wiz] (no subject)"
• Maybe in reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Active to Passive FTP translator?"
• Next in thread: David Pick: "Re: [fw-wiz] Active to Passive FTP translator?"
• Reply: David Pick: "Re: [fw-wiz] Active to Passive FTP translator?"
• Reply: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "Scott, Richard" <Richard.Scott@BestBuy.com>
To: "'Mikael Olsson'" <mikael.olsson@clavister.com>, "Dawes, Rogan (ZA - Johannesburg)" <rdawes@deloitte.co.za>
Date: Tue Nov 26 10:27:01 2002

I am just curious at the real threat of allowing non passive FTP connections
from clients.
Assume one has a system that wants to contact many FTP servers, and the
system itself is not an FTP server. Given that the firewall should be
restricting specific access to hosts, the only threat I can foresee are the
following:

(1) spoof the IP address of a trusted FTP server and allow for a correct
timing of events to falsify data
(2) Spoof the IP address, to send FTP commands back to the client in the
hope there is a vulnerability in the client.
(3) Compromise the FTP server and await ftp connection from client and then
perform 2.

Any other rsks?

Cheers
r.

Richard Scott
INFORMATION SECURITY
Best Buy World Headquarters
7075 Flying Cloud Drive
Eden Prairie, MN 55344 USA

The views expressed in this email do not represent Best Buy
or any of its subsidiaries

---

• Next message: Ng Pheng Siong: "Re: [fw-wiz] Inspecting routers"
• Previous message: Paul D. Robertson: "RE: [fw-wiz] (no subject)"
• Maybe in reply to: Dawes, Rogan (ZA - Johannesburg): "[fw-wiz] Active to Passive FTP translator?"
• Next in thread: David Pick: "Re: [fw-wiz] Active to Passive FTP translator?"
• Reply: David Pick: "Re: [fw-wiz] Active to Passive FTP translator?"
• Reply: Mikael Olsson: "Re: [fw-wiz] Active to Passive FTP translator?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: ipfw or ipf w/stateful behavior ... these make the firewall secure enaugh. ... > hosting a FTP server at your site? ... Securing things for an FTP client ... (FreeBSD-Security) Re: ftp hangs ... But I have just used the same Solaris 10 ftp client and connected to the HP C3600's ftp server. ... it possible that it just defaults to passive mode so that the command to ... No, I can't be sure about the HP ftp server, but I tried both with and without the "passive" command from Sun's ftp client and find it works with the HP server in either case. ... (comp.unix.solaris) RE: SBS 2003 Premium: how to allow FTP .EXE downloads ... Disable the problematic client XP firewall, ... click to check the "Hide All Microsoft Services" ... Is the FTP server on SBS? ... Download the file from the following URL: ... (microsoft.public.windows.server.sbs) Re: Telnet/ftp problems SBS2000 ... | through the server to get internet access everything works. ... | client uses an internet backup company to backup his really vital data, ... I understand that you cannot use ftp service to ... the connection can be established ... (microsoft.public.windows.server.sbs) Re: ipfw or ipf w/stateful behavior ... I take it you're trying to access a remote FTP server, ... Securing things for an FTP client ... firewall, that can detect the outgoing PORT command (with all the ... (FreeBSD-Security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > Firewall-Wizards  > 2002-11