On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
> > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> > rather than IKE? It's inherently less secure, as it can't use IPSec tunnel
> > mode. As I see it, there's a genaral problem with using firewalls for
> > encryption gateways. You don't want to tie up your gateway with all the
> > processing and memory usage that VPN devices require. CheckPoint seems to
> > have built a client-to-site VPN that is designed to reduce some of the
> > performace hit on the firewall. What you end up with, I think, is a kind of
> > security "lite." A little less data security (especially if you make
> > topology requests available to anybody with the SecuRemote client software).
>
> There used to be a time when you could get FWZ but there was no IKE or you
> would have to fill silly export forms. Hence the existance of FWZ out in
> the field.
>
Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
