new line character check on firewall

[bahuguna_praveen]

Hi All,

I want to know what are the risk associated with disabling #FTP_ENFORCE_NL argument on checkpoint firewall. I know disabling this arugment will force CP to bypass newline character check.

Does any one know what is the risk of firewall not doing new line character check on FTP connection.

Thanks in advance

Rgds

[northlandboy]

You'll probably need to read deeply into the RFCs to understand it all, but I guess there are some attacks that could be mounted. My reading of it is that if it's only for outbound FTP, then it's not such an issue.

If you're having this problem with specific FTP servers, then I would strongly recommend that you have a specific rule for those connections, above any other FTP rules, and use the FTP basic service. Create a new TCP service, called ftp-basic, or similar. Then set the advanced protocol type to FTP-BASIC.

This disables several security checks, including the newline one. The advantage of using it this way is that it then only applies to those connections, rather than all FTP rules, like changing base.def does. The other thing is that changes to base.def are not automatically upgraded, whereas using the ftp basic service will be carried across upgrades. Otherwise what tends to happen is that you forget about the change, then upgrade a year later, and things start breaking again.