I find the use of a proprietary, unpublished encryption algorithim for
administration really quite scary. See the Snake Oil FAQ,
for some arguments against secret and unpublished ciphers.
Also, the function you want in a FW remote admin module is
authentication, encryption is useful for keeping your rules secret.
(I assume that they're not passing the password over the encrypted
link, since there is an obvious replay attack against the start of the
connection.) You really want to know that the entire connection is
the same one, and that no packet has been inserted, modified, or
deleted. This is the functionality that you get from the IPsec
Authentication Header. Encryption does not provide it.
Martin Khoo wrote:
| > |> Does anybody know whether the traffic between GUI Firewall
| > Management Client and Firewall Management
| > |> Server is encrypted or not?
| > I believe that if it's the VPN edition, the FW-1 traffic would then be
| > encrypted.
| Traffic between the GUI client and the Mgmt. server is encrypted (it has
| nothing to do with whether it is a VPN or non-VPN version) using
| Checkpoint's encryption algo. called FWZ1 (if I remember correctly)
"It is seldom that liberty of any kind is lost all at once."