> Part IIa/II
Received at 4:35 a.m. 4/11/98 Pacific time.
>Continuing from Part I/II:
>Anyway, I *did* do the research. One reference about security
>servers being proxies is contained in the NSA's report on page 56/98:
> "The Checkpoint Firewall-1 firewall is equipped
> to perform rule base filtering based on the protocol
> itself with the Stateful Packet Inspection / Filtering
> or with a proxy which Checkpoint calls a Security Server."
This doesn't indicate that they've done any code analysis to
determine how they work. I was trying to bring up the fact that
they might not be as much like traditional proxies (Albeit
transparent ones) as one might assume. Since the
question has come up before about Checkpoint's programming
practices, this might not be in their favor.
>>Uh, wrong. They support DES and whichever SKIP protocols
>>you like. US only, of course.
>I think you misunderstood me. The operative word in my sentence
>above is "common". I meant common to *both* User->Firewall *AND*
>Firewall->Firewall VPN connections.
I've only done VPN with FW1, using both FWZ1 and DES. Haven't
personally done FW1->FW1. I've spoken/mailed others who have done
FW1->FW1 with SKIP. Which one are you claiming doesn't work?
>>All true. That's why I have the DES version.
>Bingo. If you're aware of this fundamental principle of good
>crypto, don't you think that Checkpoint is aware of this also?
>- Particularly since they designed a couple of VPN solutions
>into it? I'll give them the benefit of a doubt and assume
>this was an oversight and not deliberately designed into the
>product. Assuming they're smart and have no ulterior motives,
>they'll probably drop FWZ1. They don't need it and it
>destroy(s/ed) their credibility in the security arena.
My understanding is that they "need" it for US export.. that's their
marketing anyway. I'd rather see them apply for 56bit DES
export and dump FWZ1. Since they are an Israel-based company,
I'm not sure why the export problem, perhaps they do too much coding in
the US. Perhaps that affects their export application. I don't know what
Israel export restrictions are, if any.
>Out of curiosity, why is Checkpoint being evaluated by the NSA?
>One requirement for entrance into the MISSI club is that the
>product must be integrated with FORTEZZA. FORTEZZA is a
>PCMCIA card with extensive authentication/encryption/signature
>capabilities. FWIW, I think FORTEZZA is a little ahead of
>its time. At some point in the next couple of years, a
>FORTEZZA-like product will be a standard & will probably
>be very widely used. Right now, it's a little expensive,
>and I don't think that society is willing to absorb this
>cost, but in large quantities, the price could come down
>and it would be a VERY attractive option. But I digress...
>Perhaps I'm missing something, but I didn't know that
>Checkpoint had their own FORTEZZA solution. If this is
>the case, then either the NSA has dropped this requirement
>(hopefully not), or Checkpoint is using someone else's VPN
>solution. I don't know, but the secure VPN solution from
>V-ONE (their SmartGate VPN Server integrates on a number
>of vendor's firewalls) is a likely bet.
I don't know anything about any FORTEZZA plans. I'd just
as soon do without it, thanks.
>If the long chain of IFs above is accurate, I find it pretty
>ironic that Checkpoint has to use someone else's VPN solution
>to get looked at by the NSA. Speaks volumes, doesn't it?
Well, as you say, many IFs.. but still, I wouldn't mind having
a choice of VPN clients. The Checkpoint client has a
couple of features missing that make it not usable for
Received: from tunnel.sybase.com ([220.127.116.11]) by ibwest.sybase.com
(Lotus SMTP MTA v4.6.1 (569.2 2-6-1998)) with SMTP id 882565E3.0047C26B;
Sat, 11 Apr 1998 06:03:48 -0700
Received: from smtp1.sybase.com (smtp1 [18.104.22.168])
by tunnel.sybase.com (8.8.4/8.8.4) with SMTP
id GAA24441 for <Ryan_Russell @
tunnel-w>; Sat, 11 Apr 1998 06:02:45
Received: from halon.sybase.com by smtp1.sybase.com
id AA25075; Sat, 11 Apr 98 06:02:44 PDT
Received: from relay2.UU.NET (relay2.UU.NET [22.214.171.124])
by halon.sybase.com (8.8.4/8.8.4) with ESMTP
id GAA24591 for <Ryan .
com>; Sat, 11 Apr 1998 06:03:01
Received: from honor.greatcircle.com by relay2.UU.NET with ESMTP
(peer crosschecked as: honor.greatcircle.com [126.96.36.199])
id QQekql17697; Sat, 11 Apr 1998 08:49:52 -0400 (EDT)
Received: (majordom @
localhost) by honor.greatcircle.com
(8.8.5/Honor-Lists-970926-1) id EAA13515; Sat, 11 Apr 1998 04:31:18 -0700
Received: from su1.in.net (su1.in.net [188.8.131.52]) by
honor.greatcircle.com (8.8.5/Honor-980202-1) with ESMTP id EAA13506 for
com>; Sat, 11 Apr 1998 04:31:08 -0700 (PDT)
Received: from frankw.in.net (pm5-25.in.net [184.108.40.206]) by
su1.in.net (8.8.8/8.6.9) with SMTP id LAA08282 for
com>; Sat, 11 Apr 1998 11:34:27 GMT
Message-Id: <3 .
X-Sender: frankw @
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:35:41 -0500
To: firewalls @
From: Frank Willoughby <frankw @
Subject: RE: socks versus fw-1 [Part IIa/II]
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner @