This is yet another re-send (3rd attempt). My earlier mail (II/II)
was sent 40 minutes after I/II. I checked with my ISP and they say
they have had no problems. I have sent & received mails to other
organizations & lists and have had no major problems. I've troubleshot
this as far as I can from here, but it appears (so far) that the only
common denominator is the firewalls mailserver. Hopefully the problem
(where ever it is will be cleaned up soon).
Meanwhile, back at the ranch.... 8^)
Continuing from Part I/II:
>>o Checkpoint came out and stated that proxies were bad and
>> that SMLI (pronounced "smelly" - IMHO, appropriate somehow)
>> 8^) is much better than proxies. I find it interesting
>> that Checkpoint uses "security servers" (which the rest of
>> us mere mortals call proxies) as this is an apparent reversal
>> of their previous position. If proxies were not secure as
>> Checkpoint previously indicated, then why do they are they
>> on the firewall now?
>I haven't done the necessary research to determine whether
>the security servers are more like proxies or more like SPFs,
>so I can't really comment.
I'm sorry. I was out of line on the "smelly" part. (The
combination of the pronunciation of SMLI & my displeasure
with Checkpoint's application of it were too much to resist).
At least they realized the wisdom of the pronunciation of
their SMLI acronym and now refer to it as SPF (Stateful
>> Packet Filter <<) which I think is more descriptive of
what it *really* is.
Anyway, I *did* do the research. One reference about security
servers being proxies is contained in the NSA's report on page 56/98:
"The Checkpoint Firewall-1 firewall is equipped
to perform rule base filtering based on the protocol
itself with the Stateful Packet Inspection / Filtering
or with a proxy which Checkpoint calls a Security Server."
>>o The only common encryption algorithm used in
>> User->Firewall & Firewall-> Firewall encryption is
>> their own (PROPRIETARY) FWZ1 encryption algorithm.
>Uh, wrong. They support DES and whichever SKIP protocols
>you like. US only, of course.
I think you misunderstood me. The operative word in my sentence
above is "common". I meant common to *both* User->Firewall *AND*
Firewall->Firewall VPN connections.
>>To my knowledge, the source code to FWZ1 has *not*
>>been published, nor has it been subjected to a peer
>>review of expert cryptographers. And this from a
>>company which is supposed to provide security?
>>Bah Humbug. Any beginning InfoSec Analyst knows
>>that proprietary encryption algorithms should be
>>avoided like the plague. Only encryption algorithms
>>which have been published and reviewed by expert
>>cryptographers should be used. If the algorithm
>>hasn't been published and reviewed by expert
>>cryptographers, then how do we know it is strong
>>enough & that there are no backdoors into it???
>>In the past, several companies would claim to
>>have a secure (homegrown) encryption algorithm and
>>would post a challenge to the cypherpunks mailing
>>list for someone to crack it. If they were to do
>>so, they would sell their company for $1.00.
>>2-3 days later, someone would crack the supposedly
>>unbreakable algorithm and state that the company
>>can keep their dollar.
>All true. That's why I have the DES version.
Bingo. If you're aware of this fundamental principle of good
crypto, don't you think that Checkpoint is aware of this also?
- Particularly since they designed a couple of VPN solutions
into it? I'll give them the benefit of a doubt and assume
this was an oversight and not deliberately designed into the
product. Assuming they're smart and have no ulterior motives,
they'll probably drop FWZ1. They don't need it and it
destroy(s/ed) their credibility in the security arena.
Out of curiosity, why is Checkpoint being evaluated by the NSA?
One requirement for entrance into the MISSI club is that the
product must be integrated with FORTEZZA. FORTEZZA is a
PCMCIA card with extensive authentication/encryption/signature
capabilities. FWIW, I think FORTEZZA is a little ahead of
its time. At some point in the next couple of years, a
FORTEZZA-like product will be a standard & will probably
be very widely used. Right now, it's a little expensive,
and I don't think that society is willing to absorb this
cost, but in large quantities, the price could come down
and it would be a VERY attractive option. But I digress...
Perhaps I'm missing something, but I didn't know that
Checkpoint had their own FORTEZZA solution. If this is
the case, then either the NSA has dropped this requirement
(hopefully not), or Checkpoint is using someone else's VPN
solution. I don't know, but the secure VPN solution from
V-ONE (their SmartGate VPN Server integrates on a number
of vendor's firewalls) is a likely bet.
If the long chain of IFs above is accurate, I find it pretty
ironic that Checkpoint has to use someone else's VPN solution
to get looked at by the NSA. Speaks volumes, doesn't it?
I'll send IIb in 1 hour after this message is sent.
The opinions of the author of this mail may not necessarily be
representative of the opinions of Fortifed Networks, Inc.
(c) Fortified Networks, Inc. - http://www.fortified.com/
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800 Fax: (317) 573-0817