>(1) While they cite various cryptographic algorithms they use (including,
as
> their first choice for symmetric-key algorithms, plain old 56-big DES
> which is a poor choice), they don't describe anything about the
> cryptographic _protocols_ --- the way those algorithms are deployed to
> authenticate, protect confidentiality, etc. This may well mean that
they
> invented the protocols themselves, and that is Bad --- as anyone who
has
> watched the IPSec design process knows well. Or even watched the
> evolution of Kerberos. Designing sound crypto protocols is every bit as
> tricky as designing sound crypto algorithms, and it doesn't happen
inside
> a small company that doesn't publish the protocols.
>
>(2) According to their web site, Private Wire clients are available for
> Windows in various flavours, that's it --- so if you are fortunate
enough
> to have any users running more secure client OSes, they cannot get in;
> only the people whose machines are throbbing sores on the internet,
open
> vectors for attack into your net, can tunnel in. That sucks. That will
> tend to worsen security.
>
>(3) I didn't see any sign that their source code is available; this means
that
> people aren't going to have an easy time helping them catch and fix
their
> implementation bugs, most especially in the hard bit,
> generated-symmetric-key entropy management.
>
>I'd give 'em a miss. If you want VPN tunneling, go with IPSec.
Bennett,
Thanks for your comments. But I am not only looking for VPN tunneling, that
I would be able to do with IPSec on cisco routers as you mentioned.
What I really need is strong user authentication. So we thought in a product
based on public key cryptography... Private Wire can store the user private
key on a password protected smartcard, we consider that strong enough for
our needs. This way, an intruder would have to steal a smart card and also
the user password which protect the keys inside.
We are open to select another product with the same characteristics... Do
you have good experiences with any?
Thanks again,
F�bio.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
