CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 6 of 6

Thread: SSL/TLS Inspection for FTPS Connections

  1. #1
    Join Date
    2015-10-01
    Posts
    37
    Rep Power
    0

    Default SSL/TLS Inspection for FTPS Connections

    Hello,

    Anyone achieved SSL/TLS Inspection on a securing gateway for FTPS connections (FTP over SSL/TLS, not SFTP)? is this possible?

    There are various protections in IPS blade regarding FTP, but since most file transfers in production environments are encrypted, those protections do not work without a way for the gateway to observe the data decrypted.

    I tried to add a rule in HTTPS inspection policy including the server's certificate/private key, but the connection cannot be established at all. Without inspecting the connection, file transfers work fine.

    It would be great if HTTPs inspection also works for FTPS.

    Regards,
    Dave

  2. #2
    Join Date
    2015-09-08
    Posts
    24
    Rep Power
    0

    Default Re: SSL/TLS Inspection for FTPS Connections

    Currently it's not possible to do inspection on FTPS connections.

  3. #3
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: SSL/TLS Inspection for FTPS Connections

    Does it really have to be ftp over tls? I take it sftp (over ssh) or the likes isn't an option?

  4. #4
    Join Date
    2015-10-01
    Posts
    37
    Rep Power
    0

    Default Re: SSL/TLS Inspection for FTPS Connections

    Thanks for the info.

    For this specific case it has to be FTPS. We don't have an option.

    However, in case of SFTP the IPS still cannot see the traffic decrypted right?

    Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

    Any thoughts?

    Thanks,

  5. #5
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,625
    Rep Power
    9

    Default Re: SSL/TLS Inspection for FTPS Connections

    Quote Originally Posted by Dave365 View Post
    Thanks for the info.

    For this specific case it has to be FTPS. We don't have an option.

    However, in case of SFTP the IPS still cannot see the traffic decrypted right?

    Do you consider SFTP more secure than FTPS? The problem with SFTP is that because it works over SSH, in case the service is not configured correctly (or in case there is a vulnerability), the client can get command-line access on the Operating System itself.

    Any thoughts?

    Thanks,
    I would would say either is just as secure and either can be misconfigured and have very bad things happen.

    This is a pretty good dock explaining how to setup a sftp jail.

    https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/

    That is very close to how check point runs their sftp servers from the looks of it. I'll also point out checkpoint doesn't run ftp over ssl servers ( that i know of at least).

    If you wanted to go a step further don't allow any ssh login on port 22 except for sftp-server users and then start admin ssh on a different port and make with the firewalling.

  6. #6
    Join Date
    2015-10-01
    Posts
    37
    Rep Power
    0

    Default Re: SSL/TLS Inspection for FTPS Connections

    Good points.

    Thanks for the feedback everyone.

Similar Threads

  1. SSL inspection
    By DannyW in forum Application Control Blade
    Replies: 2
    Last Post: 2014-10-01, 16:41
  2. DNS Inspection
    By David.Baldwin in forum IPS-1
    Replies: 1
    Last Post: 2011-02-12, 17:16
  3. Replies: 4
    Last Post: 2010-10-08, 10:45
  4. FTPS
    By danilody in forum IPS Blade (Formerly SmartDefense)
    Replies: 0
    Last Post: 2007-11-22, 07:34
  5. Protocol inspection, how deep the inspection?
    By blackberry in forum Content Security/Security Servers/CVP/UFP
    Replies: 1
    Last Post: 2006-07-14, 05:17

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •