Hi
This looks interesting as we want to try this out at some stage with cable
modem/routers.
My understanding is that many cable modems/routers use proprietary
encrpytion schemes for the cable modem/router to cable operator Head End
(INA) that support the NAT functions - I am not sure what happens after it
has passed onto to general internet though - probably nothing ?
For our SecuRemote connections we use FZW as advised by VAR for:-
1. Admin - there is just one key to setup and maintain.
2. 3DES not readily available in UK - I have ordered through VAR about 3
months ago - still no sign of it !
3. Flexible auth. schemes
4. It works (!)
Your comments make me inclined to think again though - couple of questions:
-
a. What is admin overhead of IKE vs FWZ - is it easy to maintain keys at
client and server end ?
b. I heard that the IKE standard supports 3 modes - 1 of which still only
has 1 key - or does CP not support this mode ?
c. What impact (apart from waiting forever for the license for 3DES !) does
3DES have on admin etc. and how easy is it to transfer from DES-FWZ to
DES-IKE or 3DES-IKE ?
d. Is LDAP authenication supported across all schemes ?
(by the way - off topic - when is your FW-1 book to save all of us coming
out ? - the sooner the better in my opinion - and can I have a signed first
edition ;-)
Thanks
Tim Higgins
"Dameon D. Welch-Abernathy"
<[EMAIL PROTECTED]> To: Daniel Snyder
<[EMAIL PROTECTED]>
Sent by: cc:
[EMAIL PROTECTED]
[EMAIL PROTECTED] Subject: Re: [FW1]
Cable routers
kpoint.com
07/06/00 15:19
Please respond to dwelch
On Wed, Jun 07, 2000 at 08:29:20AM -0400, Daniel Snyder wrote:
> I am looking for information and success stories on Cable routers that
work successfully with Securemote and FWZ.
You are far better off attempting this with IKE.
* Unencapsulated FWZ changes the MD5 checksum of packets, which the Linksys
router (among other things) will check and will either change the
checksum
along the way or drop the packet altogether because the checksums are
invalid.
* Encapsulated FWZ does not work with HIDE NAT. Check Point says so.
* If you're using FWZ because of a reliance on SecurID or RADIUS auth,
FireWall-1 4.1 SP1 has support for "Hybrid Authentication" mode that
works when used along with the latest version of the SecuRemote client.
* IKE allows for 3DES encryption. FWZ does not. Need I say more?
-- PhoneBoy
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
#**********************************************************************
This message is intended solely for the use of the individual
or organisation to whom it is addressed. It may contain
privileged or confidential information. If you have received
this message in error, please notify the originator immediately.
If you are not the intended recipient, you should not use,
copy, alter, or disclose the contents of this message. All
information or opinions expressed in this message and/or
any attachments are those of the author and are not
necessarily those of Hughes Network Systems Limited,
including its European subsidiaries and affiliates. Hughes
Network Systems Limited, including its European
subsidiaries and affiliates accepts no responsibility for loss
or damage arising from its use, including damage from virus.
#**********************************************************************
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
