Bugtraq mailing list archives
RE: Firewall-1 Information leak
From: "Stephen JT Bourike" <steveb () ascltd co uk>
Date: Tue, 24 Jul 2001 19:57:57 +0100
Actually, since 4.1 SP-3 the use of Hybrid IKE mode has worked fairly well. SP-4 fixes some of the outstanding problems and it is now possible to use strongly-authenticated SecuRemote sessions with IKE encryption and key exchange. Steve -----Original Message----- From: Mariusz Woloszyn [mailto:emsi () ipartners pl] Sent: 24 July 2001 12:07 To: Hugo van der Kooij Cc: bugtraq () securityfocus com Subject: RE: Firewall-1 Information leak On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), rather than IKE? It's inherently less secure, as it can't use IPSec
tunnel
mode. As I see it, there's a genaral problem with using firewalls for encryption gateways. You don't want to tie up your gateway with all the processing and memory usage that VPN devices require. CheckPoint seems
to
have built a client-to-site VPN that is designed to reduce some of the performace hit on the firewall. What you end up with, I think, is a kind
of
security "lite." A little less data security (especially if you make topology requests available to anybody with the SecuRemote client
software).
There used to be a time when you could get FWZ but there was no IKE or you would have to fill silly export forms. Hence the existance of FWZ out in the field.
Moreover external authentication (for example SecureID) does NOT work with IKE, but works with FWZ, so many people has to use weaker FWZ1 or DES encryption for stronger authentication. -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
Current thread:
- Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Lars Troen (Jul 18)
- Re: Firewall-1 Information leak Bugtraq Account (Jul 19)
- <Possible follow-ups>
- Re: Firewall-1 Information leak Christian Herb (Jul 18)
- RE: Firewall-1 Information leak David Sexton (Jul 20)
- RE: Firewall-1 Information leak MALIN, ALEX (PB) (Jul 23)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)
- RE: Firewall-1 Information leak Mariusz Woloszyn (Jul 24)
- RE: Firewall-1 Information leak Stephen JT Bourike (Jul 24)
- Re: Firewall-1 Information leak Grzegorz Mucha (Jul 25)
- RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)