Great Circle Associates Firewalls
(April 1998)

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: RE: socks versus fw-1 [Part IIa/II]
From: Frank Willoughby <frankw @ in . net>
Date: Tue, 14 Apr 1998 23:35:50 -0500
To: "Ryan Russell" <ryanr @ sybase . com>
Cc: firewalls @ GreatCircle . com
In-reply-to: <882565E5 . 005C3EDA . 00 @ gwwest . sybase . com>

Verily, at 10:02 AM 4/13/98 -0700, Ryan Russell did write:

>>                   Part IIa/II
>Received at 4:35 a.m.  4/11/98 Pacific time.
>>Continuing from Part I/II:
>>Anyway, I *did* do the research.  One reference about security
>>servers being proxies is contained in the NSA's report on page 56/98:
>>  "The Checkpoint Firewall-1 firewall is equipped
>>  to perform rule base filtering based on the protocol
>>  itself with the Stateful Packet Inspection / Filtering
>>  or with a proxy which Checkpoint calls a Security Server."
>This doesn't indicate that they've done any code analysis to
>determine how they work.  I was trying to bring up the fact that
>they might not be as much like traditional proxies (Albeit
>transparent ones) as one might assume.  Since the
>question has come up before about Checkpoint's programming
>practices, this might not be in their favor.

It is my understanding that the NSA works closely with 
the vendors during testing.  This helps to avoid potential 
misunderstandings about the product.  Since the NSA 
already mentioned in their report that they validate
vendor claims AND they have a vendor contact who is 
available during testing to field their questions,
then I must assume that their report is accurate.
Further, given who they are & the type of work they
do, I suspect that each word in the document was
carefully selected & reviewed before mere mortals
such as you or I were permitted to peruse its contents.

>>>Uh, wrong.  They support DES and whichever SKIP protocols
>>>you like.  US only, of course.
>>I think you misunderstood me.  The operative word in my sentence
>>above is "common".  I meant common to *both* User->Firewall *AND*
>>Firewall->Firewall VPN connections.
>I've only done VPN with FW1, using both FWZ1 and DES.  Haven't
>personally done FW1->FW1.  I've spoken/mailed others who have done
>FW1->FW1 with SKIP.  Which one are you claiming doesn't work?
>>>All true.  That's why I have the DES version.
>>Bingo.  If you're aware of this fundamental principle of good
>>crypto, don't you think that Checkpoint is aware of this also?
>>- Particularly since they designed a couple of VPN solutions
>>into it?  I'll give them the benefit of a doubt and assume
>>this was an oversight and not deliberately designed into the
>>product.  Assuming they're smart and have no ulterior motives,
>>they'll probably drop FWZ1.  They don't need it and it
>>destroy(s/ed) their credibility in the security arena.
>My understanding is that they "need" it for US export.. that's their
>marketing anyway.  I'd rather see them apply for 56bit DES
>export and dump FWZ1.  Since they are an Israel-based company,
>I'm not sure why the export problem, perhaps they do too much coding in
>the US.  Perhaps that affects their export application.  I don't know what
>Israel export restrictions are, if any.

Checkpoint needs FWZ1 for export like they need a hole in the head.
Since they're an Israeli company, they are subject to Israeli laws, 
not US laws.  It's my understanding (correct me if I am wrong) that
their US subsidiary (which *is* subject to US laws) is primarily a 
sales vehicle and that all (or almost all) engineering & R&D is
performed in Israel - not in the USA. In any event, I would venture
to say that FWZ1 was developed in Israel, not in the USA.  If this
is indeed the case, then there would be no need to worry about 
export issues since the country of its origin is outside the
USA anyway.

What I don't understand is why Checkpoint promotes the FWZ1
algorithm.  It's proprietary & it doesn't make sense from
a security point-of-view AT ALL.

>>Out of curiosity, why is Checkpoint being evaluated by the NSA?
>>One requirement for entrance into the MISSI club is that the
>>product must be integrated with FORTEZZA.  FORTEZZA is a
>>PCMCIA card with extensive authentication/encryption/signature
>>capabilities.  FWIW, I think FORTEZZA is a little ahead of
>>its time.  At some point in the next couple of years, a
>>FORTEZZA-like product will be a standard & will probably
>>be very widely used.  Right now, it's a little expensive,
>>and I don't think that society is willing to absorb this
>>cost, but in large quantities, the price could come down
>>and it would be a VERY attractive option.  But I digress...
>>Perhaps I'm missing something, but I didn't know that
>>Checkpoint had their own FORTEZZA solution.  If this is
>>the case, then either the NSA has dropped this requirement
>>(hopefully not), or Checkpoint is using someone else's VPN
>>solution.  I don't know, but the secure VPN solution from
>>V-ONE (their SmartGate VPN Server integrates on a number
>>of vendor's firewalls) is a likely bet.
>I don't know anything about any FORTEZZA plans.  I'd just
>as soon do without it, thanks.

To each his own.  I'd still curious to know if FORTEZZA
is still a requirement for a vendor to be tested for 
inclusion into MISSI.  If this is no longer a requirement,
then everyone & their brother will be banging on 
their doors to be tested.  Hmmm.  @70 firewalls on the
market x @ 1 firewall tested per year...... This could
take a year or two.  8^)

>>If the long chain of IFs above is accurate, I find it pretty
>>ironic that Checkpoint has to use someone else's VPN solution
>>to get looked at by the NSA.  Speaks volumes, doesn't it?
>Well, as you say, many IFs.. but still, I wouldn't mind having
>a choice of VPN clients.  The Checkpoint client has a
>couple of features missing that make it not usable for

Or for me.  Out of curiosity, what are the missing features?

Best Regards,


The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

(c) Fortified Networks, Inc. -
Home of the Free Internet Firewall Evaluation Checklist
Expert (vendor-neutral) Computer and Network Security Solutions
Phone: (317) 573-0800     Fax: (317) 573-0817

From: a0192424hang @ worldnet . att . net
Next: ANS Firewall
From: coupean @ ey . co . za
Indexed By Thread Previous: RE: socks versus fw-1 [Part IIa/II]
From: "Ryan Russell" <ryanr @ sybase . com>
Next: RE: socks versus fw-1 [Part IIb/II]
From: Frank Willoughby <frankw @ in . net>

Search Internet Search