On Fri, 20 Jun 1997 KMoore1824 @
> 1. My company has been looking for a fast, easy to administer firewall for
> some time now. We need to network about 40 offices and don't need a lot of
> administration overhead. We must have the capability of performing encryption
> (we might need more than DES now! ;-) between our offices and corporate hub if
> necessary. Also some of our sites are located in South America and Europe.
> We also need full NAT functionality (one to one, one to many, many to one, etc.
> etc.) as we may want to offer inbound services and some IP remapping at the
> remote sites.
Do you need to do a Virtual Private Network (VPN), or would simply secure
browsers at one site and secure servers at a second site work. If you
need a VPN, some firewalls support this, some do not.
> 2. Could you use something like Linux with the IPSec extensions in France?
Check with a French lawyer, but last I heard, anything strong enough to be
useful (even DES) is unlawful, which would include CAST-128 which is what
> 5. What about remote access (non-UDP). Especially outside of the United
> States. Are there any clients that use more than DES encryption? How much
> secure is 3DES than standard DES. We just want to secure POP, SMTP, HTTP,
> NNTP, FTP and Telnet. Should I worry if the remote access encryption
> technology is proprietary?
3DES is secure if there are no other holes (it doesn't show the weaknesses
of DES and if the keys are kept secure...). See Applied Cryptography by
Bruce Schneier for further info.
SSL versions of all the above protocols are available (and outside the
US!). Start at http://www.psy.uq.edu.au:8080/~ftp/Crypto/
> 6. Is FTP inherently hard to secure with Stateful Inspection type Firewalls?
It depends on what you want to use FTP for. You can use http(s) to move
almost anything, and I hacked together a "microserver" that functions sort
of like an ftp client (returns a directory with links to files and
subdirs, etc, clicking will download). But otherwise use a good FTP.
> 7. What key distribution method should we look for? Is a standard emerging?
X509 Certificates. The ssl listservs are the best place to get answers to
these and the above URL is the best place to start finding this stuff.