[21818] in bugtraq
RE: Firewall-1 Information leak
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Tue Jul 24 15:04:43 2001
Date: Tue, 24 Jul 2001 13:07:23 +0200 (EEST)
From: Mariusz Woloszyn <emsi@ipartners.pl>
To: Hugo van der Kooij <hvdkooij@vanderkooij.org>
Cc: bugtraq@securityfocus.com
In-Reply-To: <Pine.LNX.4.33.0107232117240.1534-100000@hvdkooij.xs4all.nl>
Message-ID: <Pine.LNX.4.04.10107241304580.2874-100000@dzyngiel.ipartners.pl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Content-Transfer-Encoding: 8BIT
On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
> > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> > rather than IKE? It's inherently less secure, as it can't use IPSec tunnel
> > mode. As I see it, there's a genaral problem with using firewalls for
> > encryption gateways. You don't want to tie up your gateway with all the
> > processing and memory usage that VPN devices require. CheckPoint seems to
> > have built a client-to-site VPN that is designed to reduce some of the
> > performace hit on the firewall. What you end up with, I think, is a kind of
> > security "lite." A little less data security (especially if you make
> > topology requests available to anybody with the SecuRemote client software).
>
> There used to be a time when you could get FWZ but there was no IKE or you
> would have to fill silly export forms. Hence the existance of FWZ out in
> the field.
>
Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
