Hi Ben, All the users that are going to use IPSec are notebook users that occationally travel abroad. The rest of the time they are connected to the network via the WAN. The main reason for using IPSEC is to synchronise their outlook with the exchange server via a dialup connection to the internet.
The reason for posting the question was to find out if there is any known reason why the Netscreen firewall cannot create the key using a predefined password. What the netscreen does is only create a 32byte key and not a 48byte key. Thanks for the input. -----Original Message----- From: Ben Nagy [mailto:[EMAIL PROTECTED]] Sent: 11 January 2002 09:17 To: Warren van Eyssen; 'Firewalls (E-mail) (E-mail)' Subject: RE: Netscreen 5xp 3Des Keys Are you sure you want to use manual keying? Especially with 3DES, which is one of the most secure IPSec choices if used correctly? I may be falling victim to some Netscreen terminology blunder, but "Manual Keying" normally means that the actual keys used by the ESP and AH encryption algorithms (3DES in your case) are fixed manually at each end. This is bad, since there will be no re-keying, ever, and you'd need to have a way of transferring the keys to each site so that they can be typed in and then arrange for some sort of key-change schedule, otherwise you'll end up sending all your data under one key. This is both fragile and possibly insecure, depending on how much of the differential analysis stuff you buy into for DES. Note that manual keying isn't the same as "pre-shared keys" which are used to generate keys that are used in IKE (Internet Key Exchange protocol), which then takes care of all the keying, re-keying and associated issues for both ESP and AH, in a secure manner. In a good IPSec setup the keys are changed (by IKE) regularly, and the negotiation phase of IKE would use either digital signatures or one of the public key modes. My _personal_ favourite is probably using "RSA encrypted nonces" with large (1024+) keys, or digital sigs with a self-maintained CA. The long and the short of it is that manual keying is really only for testing purposes or for EXTREMELY hardcore crypto freaks who have a super secure out-of-band key exchange protocol, with associated rotation and re-keying regimes. If you know all this, and you're actually implying that you mistrust IKE for some reason, please let me know, because I'd be very interested in any discussion suggested that it is flawed. If none of this made any sense, then let me know and I'll be less terse! Cheers, -- Ben Nagy Network Security Specialist Mb: +61 414 411 520 PGP Key ID: 0x1A86E304 > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of Warren van Eyssen > Sent: Friday, January 11, 2002 5:17 PM > To: Firewalls (E-mail) (E-mail) > Subject: Netscreen 5xp 3Des Keys > > > Hi All, > > Can anybody help with the following problem > I have a Netscreen 5xp OS Ver 3.0.0r1.0 > I want to use 3Des-CBC Manual Key encryption[...] _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
