RE: [FW1] Secure Remote & Secure ID

Aaron Turner Fri, 14 Jul 2000 10:22:49 -0700


Currently the only encryption option to *fully* support SecurID is FWZ.
Hybrid IKE is a big improvement over the older IKE, but it has issues with
some of the "features" that SecurID has (things like Next Token Code). You
can use the authentication server on port 259 to work around this, but
good luck in teaching your users one when/how to use it.  Unless you're
really concerned with the shorter key length used in FWZ or the
algorithm's overall security, you're better off using that instead of
Hybrid IKE IMHO.

-- 
Aaron Turner        [EMAIL PROTECTED]  650.237.0300 x252
Security Engineer                         Vicinity Corp.        
Cell: 408-314-9874                        http://www.vicinity.com

On Fri, 14 Jul 2000 [EMAIL PROTECTED] wrote:

> 
> How's about hybrid mode auth with IKE? available in 4.1
> 
> Thomas Poole
> 
> -----Original Message-----
> From: Aylton Souza [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, July 13, 2000 10:15 PM
> To: Martin, Andy; Fw-1-Mailinglist (E-mail)
> Subject: Re: [FW1] Secure Remote & Secure ID
> 
> 
> 
> Martin,
> 
> IKE only supports authentication using pre-shared secret or certificates.
> 
> To rely on ACE/Securid auth., you must use FWZ.
> 
> Best wishes
> 
> 
> Aylton
> 
> -----Mensagem original-----
> De: Martin, Andy <[EMAIL PROTECTED]>
> Para: Fw-1-Mailinglist (E-mail) <[EMAIL PROTECTED]>
> Data: Terca-feira, 11 de Julho de 2000 07:07
> Assunto: RE: [FW1] Secure Remote & Secure ID
> 
> 
> >
> >Hiya,
> >
> >Cheers for that Tim. CP 2000 looks like it should be the way forward for us
> >bu I have 10 remote modules and it causes a few headaches trying to do the
> >migration :-).
> >
> >I have narrowed the problem down to the FWZ encryption settings or keys on
> >the Firewall. ISAKMP works fine with a pre shared secret whereas FWZ does
> >not even with a Firewall  Internal Password. Ive checked that both sets of
> >keys are created  and that the user defined can authenticate with a telnet
> >to port 259. Sumfinks B0rk3d big time.
> >
> >I am running FW1 VPN Version 4 sp 6 with the secure remote client release
> >4005.
> >
> >Any Ideas ??
> >
> >Cheers
> >
> >Andy
> >
> >-----Original Message-----
> >From: Frost, Timothy E [mailto:[EMAIL PROTECTED]]
> >Sent: 10 July 2000 23:43
> >To: 'Martin, Andy'; Fw-1-Mailinglist (E-mail)
> >Subject: RE: [FW1] Secure Remote & Secure ID
> >
> >
> >Andy,
> >
> >You won't get SecurID (or anything other than shared secrets or PKI
> >Certificates) working with IKE unless you have ALL OF the following:
> >1: CP2000 on the firewall (and the management station, if that is separate)
> >2: Hybrid mode set up, as per pages 21-24 of the Getting Started Guide
> >(create the Internal CA, generate the firewall certificates, and enable
> >hybrid mode on the IKE encryption for the firewall).
> >
> >When I was testing, I found that you ALSO have to have FWZ enabled, and the
> >FWZ CA and DH keys generated, because otherwise SR 4157 will report an
> error
> >when you add/update the site.  The error message is
> >
> >Error: Site <management station> says that it is not a Certificate
> >Authority.  Check whether you have the right IP address for <management
> >station>, and check with the FW-1 system manager there whether <management
> >station> is indeed a FW-1 control station.
> >
> >
> >
> >
> >
> >Tim
> >--
> >Timothy Frost mailto:[EMAIL PROTECTED]
> >EDS New Zealand Fax: +64-4-495-0473
> >8 Gilmer Terrace Phone: +64-4-495-0504
> >P O Box 3647
> >Wellington
> >New Zealand
> >
> >> -----Original Message-----
> >> From: Martin, Andy [SMTP:[EMAIL PROTECTED]]
> >> Sent: Tuesday, July 11, 2000 2:49 AM
> >> To: Fw-1-Mailinglist (E-mail)
> >> Subject: [FW1] Secure Remote & Secure ID
> >>
> >>
> >> Hiya,
> >>
> >> I have an issue with secure remote authenticating with secure ID tokens.
> >> The
> >> authentication works fine when I use Client or User Authentication on the
> >> rule but when I swap it out for Client Encrypt the Secure Remote client
> >> says
> >> that the site at xxx.xxx.xxx.xxx does not like my password. The Firewall
> >> Log
> >> says Topology Download Request Refused: User not defined properly. If I
> >> swap
> >> the encryption scheme to ISAKMP and use a pre shared secret it works
> >> loverly.
> >>
> >>
> >> Cheers
> >>
> >> Andy
> >> **********************************************************************
> >> This email and any files transmitted with it are confidential and
> >> intended solely for the use of the individual or entity to whom they
> >> are addressed. If you have received this email in error please notify
> >> the sender immediately.
> >>
> >> This footnote also confirms that this email message has been swept for
> >> the presence of computer viruses.
> >> **********************************************************************
> >>
> >>
> >>
> ==========================================================================
> >> ======
> >>      To unsubscribe from this mailing list, please see the instructions
> at
> >>                http://www.checkpoint.com/services/mailing.html
> >>
> ==========================================================================
> >> ======
> >**********************************************************************
> >This email and any files transmitted with it are confidential and
> >intended solely for the use of the individual or entity to whom they
> >are addressed. If you have received this email in error please notify
> >the sender immediately.
> >
> >This footnote also confirms that this email message has been swept for
> >the presence of computer viruses.
> >**********************************************************************
> >
> >
> >===========================================================================
> =====
> >     To unsubscribe from this mailing list, please see the instructions at
> >               http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =====
> >
> 
> 
> 
> ============================================================================
> ====
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
> 
> 
> ================================================================================
>      To unsubscribe from this mailing list, please see the instructions at
>                http://www.checkpoint.com/services/mailing.html
> ================================================================================
> 



================================================================================
     To unsubscribe from this mailing list, please see the instructions at
               http://www.checkpoint.com/services/mailing.html
================================================================================
RE: [FW1] Secure Remote & Secure ID

Reply via email to
