RE: Firewall-1 Information leak

["Stephen JT Bourike" <steveb () ascltd co uk>]

Actually, since 4.1 SP-3 the use of Hybrid IKE mode has worked fairly well.
SP-4 fixes some of the outstanding problems and it is now possible to use
strongly-authenticated SecuRemote sessions with IKE encryption and key
exchange.

Steve

-----Original Message-----
From: Mariusz Woloszyn [mailto:emsi () ipartners pl]
Sent: 24 July 2001 12:07
To: Hugo van der Kooij
Cc: bugtraq () securityfocus com
Subject: RE: Firewall-1 Information leak


On Mon, 23 Jul 2001, Hugo van der Kooij wrote:

> > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> > rather than IKE? It's inherently less secure, as it can't use IPSec
tunnel
> > mode. As I see it, there's a genaral problem with using firewalls for
> > encryption gateways. You don't want to tie up your gateway with all the
> > processing and memory usage that VPN devices require. CheckPoint seems
to
> > have built a client-to-site VPN that is designed to reduce some of the
> > performace hit on the firewall. What you end up with, I think, is a kind
of
> > security "lite." A little less data security (especially if you make
> > topology requests available to anybody with the SecuRemote client
software).
> There used to be a time when you could get FWZ but there was no IKE or you
> would have to fill silly export forms. Hence the existance of FWZ out in
> the field.
Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners