Actually, since 4.1 SP-3 the use of Hybrid IKE mode has worked fairly well.
SP-4 fixes some of the outstanding problems and it is now possible to use
strongly-authenticated SecuRemote sessions with IKE encryption and key
exchange.
Steve
-----Original Message-----
From: Mariusz Woloszyn [mailto:[EMAIL PROTECTED]]
Sent: 24 July 2001 12:07
To: Hugo van der Kooij
Cc: [EMAIL PROTECTED]
Subject: RE: Firewall-1 Information leak
On Mon, 23 Jul 2001, Hugo van der Kooij wrote:
> > Why might anybody use FWZ (CheckPoint's propriatary encryption scheme),
> > rather than IKE? It's inherently less secure, as it can't use IPSec
tunnel
> > mode. As I see it, there's a genaral problem with using firewalls for
> > encryption gateways. You don't want to tie up your gateway with all the
> > processing and memory usage that VPN devices require. CheckPoint seems
to
> > have built a client-to-site VPN that is designed to reduce some of the
> > performace hit on the firewall. What you end up with, I think, is a kind
of
> > security "lite." A little less data security (especially if you make
> > topology requests available to anybody with the SecuRemote client
software).
>
> There used to be a time when you could get FWZ but there was no IKE or you
> would have to fill silly export forms. Hence the existance of FWZ out in
> the field.
>
Moreover external authentication (for example SecureID) does NOT work with
IKE, but works with FWZ, so many people has to use weaker FWZ1
or DES encryption for stronger authentication.
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners
