Bugtraq mailing list archives
RE: Firewall-1 Information leak
From: Hugo van der Kooij <hvdkooij () vanderkooij org>
Date: Mon, 23 Jul 2001 21:19:52 +0200 (CEST)
On Fri, 20 Jul 2001, MALIN, ALEX (PB) wrote:
Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), rather than IKE? It's inherently less secure, as it can't use IPSec tunnel mode. As I see it, there's a genaral problem with using firewalls for encryption gateways. You don't want to tie up your gateway with all the processing and memory usage that VPN devices require. CheckPoint seems to have built a client-to-site VPN that is designed to reduce some of the performace hit on the firewall. What you end up with, I think, is a kind of security "lite." A little less data security (especially if you make topology requests available to anybody with the SecuRemote client software).
There used to be a time when you could get FWZ but there was no IKE or you
would have to fill silly export forms. Hence the existance of FWZ out in
the field.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooij () vanderkooij org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
Current thread:
- Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Lars Troen (Jul 18)
- Re: Firewall-1 Information leak Bugtraq Account (Jul 19)
- <Possible follow-ups>
- Re: Firewall-1 Information leak Christian Herb (Jul 18)
- RE: Firewall-1 Information leak David Sexton (Jul 20)
- RE: Firewall-1 Information leak MALIN, ALEX (PB) (Jul 23)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)
- RE: Firewall-1 Information leak Mariusz Woloszyn (Jul 24)
- RE: Firewall-1 Information leak Stephen JT Bourike (Jul 24)
- Re: Firewall-1 Information leak Grzegorz Mucha (Jul 25)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)