Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: socks versus fw-1 [Part IIa/II]
From: "Ryan Russell" <ryanr @ sybase . com>
Date: Mon, 13 Apr 1998 10:02:34 -0700
To: Frank Willoughby <frankw @ in . net>
Cc: firewalls @ GreatCircle . COM

>                   Part IIa/II
Received at 4:35 a.m.  4/11/98 Pacific time.

>Continuing from Part I/II:

>Anyway, I *did* do the research.  One reference about security
>servers being proxies is contained in the NSA's report on page 56/98:
>  "The Checkpoint Firewall-1 firewall is equipped
>  to perform rule base filtering based on the protocol
>  itself with the Stateful Packet Inspection / Filtering
>  or with a proxy which Checkpoint calls a Security Server."

This doesn't indicate that they've done any code analysis to
determine how they work.  I was trying to bring up the fact that
they might not be as much like traditional proxies (Albeit
transparent ones) as one might assume.  Since the
question has come up before about Checkpoint's programming
practices, this might not be in their favor.

>>Uh, wrong.  They support DES and whichever SKIP protocols
>>you like.  US only, of course.

>I think you misunderstood me.  The operative word in my sentence
>above is "common".  I meant common to *both* User->Firewall *AND*
>Firewall->Firewall VPN connections.

I've only done VPN with FW1, using both FWZ1 and DES.  Haven't
personally done FW1->FW1.  I've spoken/mailed others who have done
FW1->FW1 with SKIP.  Which one are you claiming doesn't work?

>>All true.  That's why I have the DES version.

>Bingo.  If you're aware of this fundamental principle of good
>crypto, don't you think that Checkpoint is aware of this also?
>- Particularly since they designed a couple of VPN solutions
>into it?  I'll give them the benefit of a doubt and assume
>this was an oversight and not deliberately designed into the
>product.  Assuming they're smart and have no ulterior motives,
>they'll probably drop FWZ1.  They don't need it and it
>destroy(s/ed) their credibility in the security arena.

My understanding is that they "need" it for US export.. that's their
marketing anyway.  I'd rather see them apply for 56bit DES
export and dump FWZ1.  Since they are an Israel-based company,
I'm not sure why the export problem, perhaps they do too much coding in
the US.  Perhaps that affects their export application.  I don't know what
Israel export restrictions are, if any.

>Out of curiosity, why is Checkpoint being evaluated by the NSA?
>One requirement for entrance into the MISSI club is that the
>product must be integrated with FORTEZZA.  FORTEZZA is a
>PCMCIA card with extensive authentication/encryption/signature
>capabilities.  FWIW, I think FORTEZZA is a little ahead of
>its time.  At some point in the next couple of years, a
>FORTEZZA-like product will be a standard & will probably
>be very widely used.  Right now, it's a little expensive,
>and I don't think that society is willing to absorb this
>cost, but in large quantities, the price could come down
>and it would be a VERY attractive option.  But I digress...
>Perhaps I'm missing something, but I didn't know that
>Checkpoint had their own FORTEZZA solution.  If this is
>the case, then either the NSA has dropped this requirement
>(hopefully not), or Checkpoint is using someone else's VPN
>solution.  I don't know, but the secure VPN solution from
>V-ONE (their SmartGate VPN Server integrates on a number
>of vendor's firewalls) is a likely bet.

I don't know anything about any FORTEZZA plans.  I'd just
as soon do without it, thanks.

>If the long chain of IFs above is accurate, I find it pretty
>ironic that Checkpoint has to use someone else's VPN solution
>to get looked at by the NSA.  Speaks volumes, doesn't it?

Well, as you say, many IFs.. but still, I wouldn't mind having
a choice of VPN clients.  The Checkpoint client has a
couple of features missing that make it not usable for

>Best Regards,


Received: from ([]) by
(Lotus SMTP MTA v4.6.1  (569.2 2-6-1998)) with SMTP id 882565E3.0047C26B;
Sat, 11 Apr 1998 06:03:48 -0700
Received: from (smtp1 [])
          by (8.8.4/8.8.4) with SMTP
       id GAA24441 for <Ryan_Russell @
 tunnel-w>; Sat, 11 Apr 1998 06:02:45
-0700 (PDT)
Received: from by
     id AA25075; Sat, 11 Apr 98 06:02:44 PDT
Received: from relay2.UU.NET (relay2.UU.NET [])
          by (8.8.4/8.8.4) with ESMTP
       id GAA24591 for <Ryan .
 Russell @
 sybase .
 com>; Sat, 11 Apr 1998 06:03:01
-0700 (PDT)
Received: from by relay2.UU.NET with ESMTP
     (peer crosschecked as: [])
     id QQekql17697; Sat, 11 Apr 1998 08:49:52 -0400 (EDT)
Received: (majordom @
 localhost) by
(8.8.5/Honor-Lists-970926-1) id EAA13515; Sat, 11 Apr 1998 04:31:18 -0700
Received: from ( []) by (8.8.5/Honor-980202-1) with ESMTP id EAA13506 for
<firewalls @
 GreatCircle .
 com>; Sat, 11 Apr 1998 04:31:08 -0700 (PDT)
Received: from ( []) by (8.8.8/8.6.9) with SMTP id LAA08282 for
<firewalls @
 GreatCircle .
 com>; Sat, 11 Apr 1998 11:34:27 GMT
Message-Id: <3 .
 0 .
 5 .
 32 .
 19980411063541 .
 01098740 @
 in .
X-Sender: frankw @
 in .
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Sat, 11 Apr 1998 06:35:41 -0500
To: firewalls @
 GreatCircle .
From: Frank Willoughby <frankw @
 in .
Subject: RE: socks versus fw-1 [Part IIa/II]
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: firewalls-owner @
 GreatCircle .
Precedence: bulk

Indexed By Date Previous: Easter present for newly acquired security companies
From: zack . whickerman @ usa . net
Next: RE: socks versus fw-1 [Part IIb/II]
From: "Ryan Russell" <ryanr @ sybase . com>
Indexed By Thread Previous: RE: socks versus fw-1 [Part IIa/II]
From: Frank Willoughby <frankw @ in . net>
Next: RE: socks versus fw-1 [Part IIa/II]
From: Frank Willoughby <frankw @ in . net>

Search Internet Search