[21826] in bugtraq
RE: Firewall-1 Information leak
daemon@ATHENA.MIT.EDU (Stephen JT Bourike)
Tue Jul 24 15:36:41 2001
From: "Stephen JT Bourike" <steveb@ascltd.co.uk>
To: "Mariusz Woloszyn" <emsi@ipartners.pl>,
"Hugo van der Kooij" <hvdkooij@vanderkooij.org>
Cc: <bugtraq@securityfocus.com>
Date: Tue, 24 Jul 2001 19:57:57 +0100
Message-ID: <OFEBJLCJDGEGBABHENNIIECFCEAA.steveb@ascltd.co.uk>
MIME-Version: 1.0
Content-Type: text/plain;
charset="ISO-8859-2"
Content-Transfer-Encoding: 8bit
In-Reply-To: <Pine.LNX.4.04.10107241304580.2874-100000@dzyngiel.ipartners.pl>
Actually, since 4.1 SP-3 the use of Hybrid IKE mode has worked fairly well.
SP-4 fixes some of the outstanding problems and it is now possible to use
strongly-authenticated SecuRemote sessions with IKE encryption and key
exchange.
Steve
-----Original Message-----
From: Mariusz Woloszyn [mailto:emsi@ipartners.pl]
Sent: 24 July 2001 12:07
To: Hugo van der Kooij
Cc: bugtraq@securityfocus.com
Subject: RE: Firewall-1 Information leak
On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
> > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> > rather than IKE? It's inherently less secure, as it can't use IPSec
tunnel
> > mode. As I see it, there's a genaral problem with using firewalls for
> > encryption gateways. You don't want to tie up your gateway with all the
> > processing and memory usage that VPN devices require. CheckPoint seems
to
> > have built a client-to-site VPN that is designed to reduce some of the
> > performace hit on the firewall. What you end up with, I think, is a kind
of
> > security "lite." A little less data security (especially if you make
> > topology requests available to anybody with the SecuRemote client
software).
>
> There used to be a time when you could get FWZ but there was no IKE or you
> would have to fill silly export forms. Hence the existance of FWZ out in
> the field.
>
Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
