Hi all,
A note about the speed of Netscreen devices running encryption/decryption go
and read the following:
http://www.netscreen.com/press/viewRelease.asp?release=287
<http://www.netscreen.com/press/viewRelease.asp?release=287>
I am currently running the smallest Netscreen xp5 with ACS 128 with SHA-1
with pre shared keys.
Runs like a dream, no performance issues.
It's a site-to-site VPN with 10 users at the remote site accessing the
central office.
This is cheap test of the Netscreens A$1,780. We have ordered the Netscreen
500s for production.
The main reason I pick the Netscreen is the high performance with VPN's and
very easy setup and management.
Richard Taylor MSc (UTS)
Network and Security Architect
Technology Services
Thomson Legal & Regulatory Limited
+61-2-8587-7521
-----Original Message-----
From: Ben Nagy [mailto:[EMAIL PROTECTED]]
Sent: Thursday, June 13, 2002 7:35 PM
To: 'Allix Primus'; [EMAIL PROTECTED]
Subject: RE: Netscreen 25 VPN Slowdown
I've said this a few times before, but..
If people are using IKE with shared secrets then they almost
certainly
don't need 3DES for their transport cipher. Likewise, MD5
should
probably now be considered "too weak" to match with 3DES.
For "strong" VPNs I recommend SHA-1, 3DES and RSA encrypted
nonces using
certs on the devices. (NB: This needs N(n-1) total certs and
(n-1) certs
in each device, which can be awful).
For "fairly strong" SHA-1, 3DES and Certs using a CA (yes, I
rate this
as weaker than manually entering the certs in each device,
but it's MUCH
easier to manage).
For "normal" then I have no problem with MD5, DES and shared
secrets of
at least 64-bits worth of entropy (usually about 16 random
characters,
depending on your paranoia level. You could always md5sum
/dev/urandom...). That bit is important - I've seen way too
many
implementations with really crappy shared secrets.
This, IMO, keeps your various bits and pieces in balance. If
you're
using shared secrets and MD5 then you're probably just
giving up speed
by running 3DES as your cipher.
--
Ben Nagy
Network Security Specialist
Mb: TBA PGP Key ID: 0x1A86E304
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]] On Behalf Of Allix
Primus
> Sent: Wednesday, June 12, 2002 11:52 PM
> To: [EMAIL PROTECTED]
> Subject: Netscreen 25 VPN Slowdown
>
>
> Hi,
>
> Our organization has just updated their firewall to the
> NetScreen 25. Installation was fairly simple to implement
and
> things appear to be working.
>
> The only problem we have noticed is a noticeable slowdown
> with the VPN. It currently uses 3DES encryption and MD5
> authentication using manual IKE.
>
> Any suggestions or comments about the NetScreen 25 would
be
> greatly appreciated.
>
> Al
> [EMAIL PROTECTED] Get more from the Web. FREE MSN
Explorer
> download : http://explorer.msn.com
--
Firewalls mailing list - [ [EMAIL PROTECTED] ]
To unsubscribe:
http://www.isc.org/services/public/lists/firewalls.html
-- Attached file included as plaintext by Ecartis --
-- File: InterScan_Disclaimer.txt
=====================================================================
WARNING -This e-mail, including any attachments, is for the
personal use of the recipient(s) only.
Republication and re-dissemination, including posting to news
groups or web pages, is strictly prohibited without the express
prior consent of
Thomson Legal & Regulatory Limited
ABN 64 058 914 668
=====================================================================
--
Firewalls mailing list - [ [EMAIL PROTECTED] ]
To unsubscribe: http://www.isc.org/services/public/lists/firewalls.html
