Hi folks,
Although Omnes is a FireWall-1 reseller, but this answer is a personal
opinion and not an advertisement to FW-1
I would appreciate comments
>Are there any firewalls, that would allow building secure virtual private
>networks (VPN) and be available in Europe?
>
>Most of the firewalls are made or shipped from USA, which means the
>encryption they use is weak and easily breakable. No encryption software
>that is actually strong is allowed to be exported from US, that's a fact.
>And I don't believe this will change in the nearest years.
>
>Especially bad this is with Firewall-1, which uses a proprietary algorithm
>FWZ1, which they do not want to give any details on. And as the key size
>is 48 bits, I don't believe it is not secure enough for places where you
>want to be really certain what you are doing. Although Firewall-1 VPN
>solution is otherwise very nice product, this weak encryption makes it
>unusable. This applies to all the other firewall products also, that come
>from US. So are there some non-US tunneling products that we could use?
>Juri Kaljundi
The key length of the encryption algorithm used in FWZ1 is 48 bits
I can see drawbacks of proprietary encryption algorithms espacially
not published ones but:
IHMO the key length is not the only way to assess the
security of a transaction. Let me give you two arguments:
1- Using a 64 bits DES key is certainly more difficult to attack than a
40 bits
DES key, but it is safer to use a 40 bits key changing in each transaction
than using a 64 bits key that does not change, because you give more
time to the hacker to attack the algorithm.
So this means that to be efficient, the key need to be constantly changing
2- However, in all Private key encryption algorithms both sender and receiver
need to agree on the same key before any encryption (the same key will
be used to encrypt and decrypt), So no matter how long the key is, if the
hacker succeed to get the key, he can decrypt all the traffic. (Obvious,
isn't it)
==> we need another secure way to convey the key to the recepient.
So, the "challenge" would be to change the key constantly and
transmit it "securely".
with Firewall-1, It is true that FWZ1 with
48 bit key (or DES 56) might not be the best algorithms ,
but the key is constantly
changing ( actually each session has its own key generated by the
Diffie Hellman (D-H) Key management alghorithm and each packet key
is a combination of the session key and the packet header => So each
packet uses a different key making it very difficult to attack).
Again both ends agree on the encryption key with the Diffie Hellman
public algorithm used for key management (512 bits key length).
the pair (g, p) of D-H is, public, common to the sender and receiver,
the D-H alghorithm is used to generate the session keys.
Now to secure the third party attack on D-H, Firewall-1 uses
RSA 512 to produce digital signatures (management station or
external party acting as a certificate authority).
Regards
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Nassim Chaabouni Chaabouni @
houston .
omnes .
net
Network Security Consultant. Telephone: (713) 513-3237
Omnes Fax: (713) 513-3126
_____________________________________________________
OMNES - A Schlumberger and Cable & Wireless Company
http://www.houston.omnes.net/
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Follow-Ups:
References:
|
|
