[21799] in bugtraq
RE: Firewall-1 Information leak
daemon@ATHENA.MIT.EDU (Hugo van der Kooij)
Mon Jul 23 20:03:06 2001
Date: Mon, 23 Jul 2001 21:19:52 +0200 (CEST)
From: Hugo van der Kooij <hvdkooij@vanderkooij.org>
To: <bugtraq@securityfocus.com>
In-Reply-To: <1FD70EE03885D411B9AB00508BCFDEAC053F63FD@msgsrv05.srv.pacbell.com>
Message-ID: <Pine.LNX.4.33.0107232117240.1534-100000@hvdkooij.xs4all.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Fri, 20 Jul 2001, MALIN, ALEX (PB) wrote:
> Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> rather than IKE? It's inherently less secure, as it can't use IPSec tunnel
> mode. As I see it, there's a genaral problem with using firewalls for
> encryption gateways. You don't want to tie up your gateway with all the
> processing and memory usage that VPN devices require. CheckPoint seems to
> have built a client-to-site VPN that is designed to reduce some of the
> performace hit on the firewall. What you end up with, I think, is a kind of
> security "lite." A little less data security (especially if you make
> topology requests available to anybody with the SecuRemote client software).
There used to be a time when you could get FWZ but there was no IKE or you
would have to fill silly export forms. Hence the existance of FWZ out in
the field.
Hugo.
--
All email send to me is bound to the rules described on my homepage.
hvdkooij@vanderkooij.org http://hvdkooij.xs4all.nl/
Don't meddle in the affairs of sysadmins,
for they are subtle and quick to anger.
