Actually, since 4.1 SP-3 the use of Hybrid IKE mode has worked fairly well. SP-4 fixes some of the outstanding problems and it is now possible to use strongly-authenticated SecuRemote sessions with IKE encryption and key exchange. Steve -----Original Message----- From: Mariusz Woloszyn [mailto:emsiat_private] Sent: 24 July 2001 12:07 To: Hugo van der Kooij Cc: bugtraqat_private Subject: RE: Firewall-1 Information leak On Mon, 23 Jul 2001, Hugo van der Kooij wrote: > > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme), > > rather than IKE? It's inherently less secure, as it can't use IPSec tunnel > > mode. As I see it, there's a genaral problem with using firewalls for > > encryption gateways. You don't want to tie up your gateway with all the > > processing and memory usage that VPN devices require. CheckPoint seems to > > have built a client-to-site VPN that is designed to reduce some of the > > performace hit on the firewall. What you end up with, I think, is a kind of > > security "lite." A little less data security (especially if you make > > topology requests available to anybody with the SecuRemote client software). > > There used to be a time when you could get FWZ but there was no IKE or you > would have to fill silly export forms. Hence the existance of FWZ out in > the field. > Moreover external authentication (for example SecureID) does NOT work with IKE, but works with FWZ, so many people has to use weaker FWZ1 or DES encryption for stronger authentication. -- Mariusz Wołoszyn Internet Security Specialist, Internet Partners
This archive was generated by hypermail 2b30 : Tue Jul 24 2001 - 12:08:15 PDT