1) No, you have to buy the DEZ module (*Note, depending on the data, you
could run SSL from the server through the DEZ on the firewall for an added
layer*)
2) Any web browser that will use IPSEC
3) I believe the authentication on the firewall is more secure (use of
public/private keys), where as NT security can be broken rather easily.
4) No, but using the NT security within that framework would be an added
level of security if needed, as well as using some form of pptp (Other than
Microsofts pptp as i hear it's not too good).
5) good question, I'd like an answer to this one as well, anyone?
6) I believe they are encrypted (So we've been told), we were sending files
https for a while and had no problems with it.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 15, 1999 9:08 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: NT/Firewall-1 Elementary Questions
Hi all!
Looking for some advice/assistance with Firewall-1.
Platform: NT
Questions re: Authentication, Encryption
Scenario:
We are about to install Firewall-1to protect an extranet server and our
internal
network. The web server will be in a DMZ, and we would like to encrypt file
transmissions to our clients. We would also like to be able to authenticate
clients. Our consultant has suggested authentication at the firewall (as
opposed to at the web server), using some system other than NT Security. He
has
also suggested using Checkpoint's encryption capabilities (as opposed to
SSL),
and he says that (to a 'limited' extent) those capabilities are included in
the
basic Firewall-1 product. He also indicates that this would make SSL
unnecessary and would allow us to do any sort of communications (e.g., FTP)
in
an encrypted environment.
I have several questions about this configuration.
1. Is any sort of encryption included with the 'basic' Firewall-1 license?
(I
have not been able to find much information on the Checkpoint site other
than
that they have an encryption module, although I have not done an extensive
search.)
2. If encryption is included (and it is not SSL), what is necessary at the
client level to use this encryption?
3. Does the idea of forsaking NT security for authentication at the
firewall
make sense, i.e., is that route SIGNIFICANTLY more secure? (I am not
talking
here about using SecureID or some other token mechanism, although that is a
future option.)
4. Does authentication at the firewall (with Checkpoint) limit our
flexibility
in controlling access to specific resources? (I know we could always impose
NT
security on top of firewall authentication, but it would add to the 'client
burden' and also to the administrative headaches.)
5. Does anyone know of specific NT products which will allow encryption of
FTP
transfers? (I have searched with little success.)
6. One of the options I am considering is setting up an 'FTP-like'
directory
where files would be listed and the clients could then click on them to
view/download them. If this particular directory were set up to require
HTTPS,
would that result in encrypted file transfers? (I am disregarding the issue
of
HTTPS performance vs. FTP, so please don't tell me it would be slower to do
it
that way.) I have enabled a 'test' directory on one server and required the
use
of HTTPS to hit that directory. It works as I suspected (i.e., the
directory
can't be accessed using HTTP), but I am not sure whether this ensures that
files
accessed from this page would be transferred encrypted.
A lot of questions here, and I sincerely appreciate any constructive input.
These lists are great resources, and I hope these questions will also be
useful
to other 'fledgling' security people.
Thanks and regards to all,
Tom
==============================================
The opinions contained herein are mine and mine alone.
==============================================
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
