Bugtraq mailing list archives
RE: Firewall-1 Information leak
From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 24 Jul 2001 13:07:23 +0200 (EEST)
On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), rather than IKE? It's inherently less secure, as it can't use IPSec tunnel mode. As I see it, there's a genaral problem with using firewalls for encryption gateways. You don't want to tie up your gateway with all the processing and memory usage that VPN devices require. CheckPoint seems to have built a client-to-site VPN that is designed to reduce some of the performace hit on the firewall. What you end up with, I think, is a kind of security "lite." A little less data security (especially if you make topology requests available to anybody with the SecuRemote client software).There used to be a time when you could get FWZ but there was no IKE or you would have to fill silly export forms. Hence the existance of FWZ out in the field.
Moreover external authentication (for example SecureID) does NOT work with IKE, but works with FWZ, so many people has to use weaker FWZ1 or DES encryption for stronger authentication. -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
Current thread:
- Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Lars Troen (Jul 18)
- Re: Firewall-1 Information leak Bugtraq Account (Jul 19)
- <Possible follow-ups>
- Re: Firewall-1 Information leak Christian Herb (Jul 18)
- RE: Firewall-1 Information leak David Sexton (Jul 20)
- RE: Firewall-1 Information leak MALIN, ALEX (PB) (Jul 23)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)
- RE: Firewall-1 Information leak Mariusz Woloszyn (Jul 24)
- RE: Firewall-1 Information leak Stephen JT Bourike (Jul 24)
- Re: Firewall-1 Information leak Grzegorz Mucha (Jul 25)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)