Bugtraq mailing list archives

RE: Firewall-1 Information leak

From: Mariusz Woloszyn <emsi () ipartners pl>
Date: Tue, 24 Jul 2001 13:07:23 +0200 (EEST)

On Mon, 23 Jul 2001, Hugo van der Kooij wrote:

Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
rather than IKE? It's inherently less secure, as it can't use IPSec tunnel
mode. As I see it, there's a genaral problem with using firewalls for
encryption gateways. You don't want to tie up your gateway with all the
processing and memory usage that VPN devices require. CheckPoint seems to
have built a client-to-site VPN that is designed to reduce some of the
performace hit on the firewall. What you end up with, I think, is a kind of
security "lite." A little less data security (especially if you make
topology requests available to anybody with the SecuRemote client software).


There used to be a time when you could get FWZ but there was no IKE or you
would have to fill silly export forms. Hence the existance of FWZ out in
the field.

Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.

--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners

Current thread:

Firewall-1 Information leak Haroon Meer (Jul 17)
- RE: Firewall-1 Information leak Lars Troen (Jul 18)
- Re: Firewall-1 Information leak Bugtraq Account (Jul 19)
- <Possible follow-ups>
- Re: Firewall-1 Information leak Christian Herb (Jul 18)
- RE: Firewall-1 Information leak David Sexton (Jul 20)
- RE: Firewall-1 Information leak MALIN, ALEX (PB) (Jul 23)
  - RE: Firewall-1 Information leak Hugo van der Kooij (Jul 23)
    - RE: Firewall-1 Information leak Mariusz Woloszyn (Jul 24)
    - RE: Firewall-1 Information leak Stephen JT Bourike (Jul 24)
    - Re: Firewall-1 Information leak Grzegorz Mucha (Jul 25)