On Mon, 23 Jul 2001, Hugo van der Kooij wrote: > > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), > > rather than IKE? It's inherently less secure, as it can't use IPSec tunnel > > mode. As I see it, there's a genaral problem with using firewalls for > > encryption gateways. You don't want to tie up your gateway with all the > > processing and memory usage that VPN devices require. CheckPoint seems to > > have built a client-to-site VPN that is designed to reduce some of the > > performace hit on the firewall. What you end up with, I think, is a kind of > > security "lite." A little less data security (especially if you make > > topology requests available to anybody with the SecuRemote client software). > > There used to be a time when you could get FWZ but there was no IKE or you > would have to fill silly export forms. Hence the existance of FWZ out in > the field. > Moreover external authentication (for example SecureID) does NOT work with IKE, but works with FWZ, so many people has to use weaker FWZ1 or DES encryption for stronger authentication. -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 11:34:47 PDT