We use Firewall-1 and SecuRemote (the remote encryption you referred
to). Here's some of my observations. Note that I'm not replying to
the ntsecurity list as I'm not on it. You can forward this to that
list if appropriate. And forward it to the Firewalls list if it
doesn't make it there, I'm not sure if I'm subscribed with the same
address. Please forgive any nasty line wrapping on your quotes, my
mail program does it.
On 7/15/99, [EMAIL PROTECTED] (Tom Tomasovic) said:
> Looking for some advice/assistance with Firewall-1.
> Platform: NT
> Questions re: Authentication, Encryption
> Scenario:
>
> We are about to install Firewall-1to protect an extranet server and
our internal
> network. The web server will be in a DMZ, and we would like to
encrypt file
> transmissions to our clients. We would also like to be able to
authenticate
> clients. Our consultant has suggested authentication at the
firewall (as
> opposed to at the web server), using some system other than NT
Security. He has
> also suggested using Checkpoint's encryption capabilities (as
opposed to SSL),
> and he says that (to a 'limited' extent) those capabilities are
included in the
> basic Firewall-1 product. He also indicates that this would make
SSL
> unnecessary and would allow us to do any sort of communications
(e.g., FTP) in
> an encrypted environment.
>
> I have several questions about this configuration.
>
> 1. Is any sort of encryption included with the 'basic' Firewall-1
license? (I
> have not been able to find much information on the Checkpoint site
other than
> that they have an encryption module, although I have not done an
extensive
> search.)
I'm not sure if the VPN module is part of the basic package, but
that's what we call the encryption module that you're probably
referring to. I do know that Checkpoint only recently (as of 4.0 I
think) started keeping track of how many user you plan to have use it,
not that they charge for them. If there is a separate charge for the
VPN module, it is a single fixed charge for the server software.
> 2. If encryption is included (and it is not SSL), what is necessary
at the
> client level to use this encryption?
They have a package called SecuRemote that is installed on the client
machine from a few floppies. On Windows 95 (and probably others) it
plays around with network stack bindings so their module sits between
the TCP/IP protocol and any adapters. If the module on your client's
machine sees traffic for your Encryption Domain (your DMZ subnet), it
pops up an Authentication box, authenticates to your Firewall-1
server, then encrypts and decrypts the traffic. It can use a couple
of different encryption schemes.
We've had various problems with the software working on laptops (with
PCMCIA and docking station adapters that come and go), and with AOL
(since it uses a special adapter), and Checkpoint hasn't been very
good at resolving them.
> 3. Does the idea of forsaking NT security for authentication at the
firewall
> make sense, i.e., is that route SIGNIFICANTLY more secure? (I am
not talking
> here about using SecureID or some other token mechanism, although
that is a
> future option.)
Yes IMHO. You can make it so people can't even get to your web server
from the Extranet unless they authenticate to your firewall first.
Given what I've heard on this list, I'd be more inclined to trust the
firewall login and security. However, if you also need to permit
things on the web server to different users, you'll probably still
have to make the users authenticate themselves to it as well.
> 4. Does authentication at the firewall (with Checkpoint) limit our
flexibility
> in controlling access to specific resources? (I know we could
always impose NT
> security on top of firewall authentication, but it would add to the
'client
> burden' and also to the administrative headaches.)
You can control access from specific users through Firewall-1 to
specific machines and services. You can't control access to specific
resources (URLs) on a website (that I know of) without getting a third
party package that handles UFP (Universal Filtering Protocol I think)
that you can configure. With a UFP server, you should be able to
define individual resources (URLs on your server) and match them up
with specific clients in your Firewall rules.
As to encrypted FTP and HTTPS only directories (trimmed), I don't
know.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
