|
|
|
|
|
|
|
|
 |
 |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW1] Mixing DES levels?
You are right Jeff. That used to be the case, but was taken care of in 4.0 sp5 or 6. And, of course in all versions of 4.1. The reason had to do with the security problems I spoke of. Thanks Jeff, CryptoTech Jeff Hochberg wrote: > The only reason why I pointed out the modifications to the control.map file > is because I've run into situations where a customer will have enterprise > encryption center and for some reason or another purchased a module with no > encryption. In the past, if you were using a management station that had > encryption and trying to manage a module with no encryption at all, I needed > to modify the control.map (per Frank's recommendation; I used to work with > him) to reduce or eliminate the encrypted channel between the management and > module. > > I didn't take offense, I appreciate the constructive criticism. I guess I > just wasn't clear enough as to which encryption scenario I was talking > about. > > -Jeff > > -----Original Message----- > From: CryptoTech [mailto:[email protected]] > Sent: Saturday, November 11, 2000 8:54 AM > To: [email protected] > Cc: 'Tom Sevy'; 'Check Point FW List (E-mail)' > Subject: Re: [FW1] Mixing DES levels? > > Not true Jeff. As a matter of fact, and I think Frank will concur, you > should never > change the control.map file unless you are quite certain of the > repercussions. The > control.map file determines if FWA1, FWN1, or SSL, or (god forbid, NONE is > the > chosen secure transmission method between modules. > > What you will need to do is to edit that vpn rules encryption method by > right > clicking on the 'Encrypt' action and selecting edit under the IKE tab. Then > select > DES as the Encrypt Transform. > > It is a very common thing to do what you are asking. > > HTH, > CryptoTech > > PS. Please do not take offense Jeff. I am not questioning your expertise, > just > indicating my companies policy with regard to firewalls. > > Jeff Hochberg wrote: > > > I think Frank already answered this question.... > > > > No that's not a problem. Depending on what encryption level you are > running > > on the Nokia, you may have to modify the control.map file to change which > > encryption scheme is used between the management and that module when > > pushing a policy or logging back to the management. > > > > Jeffrey Hochberg > > Digital Stronghold > > [email protected] > > > > -----Original Message----- > > From: [email protected] > > [mailto:[email protected]]On Behalf Of Tom > > Sevy > > Sent: Friday, November 10, 2000 4:24 PM > > To: 'Frank Darden'; Check Point FW List (E-mail) > > Subject: RE: [FW1] Mixing DES levels? > > > > Since this is an internal FW to protect us from our Vendors, we don't care > > much about encryption. We won't be using it for any vpn. > > > > I just want to be sure that the 3Des Management Console won't complain > that > > it is talking to a lesser [encryption strength] Nokia IP box. > > > > -----Original Message----- > > From: Frank Darden [mailto:[email protected]] > > Sent: Friday, November 10, 2000 3:27 PM > > To: 'Tom Sevy'; Check Point FW List (E-mail) > > Subject: RE: [FW1] Mixing DES levels? > > > > Yes, you can mix DES as well as 3DES, and FWZ1. Youll set the encryption > > level on you action encrypt item in the rulebase. > > > > -----Original Message----- > > From: Tom Sevy [mailto:[email protected]] > > Sent: Friday, November 10, 2000 2:37 PM > > To: Check Point FW List (E-mail) > > Subject: [FW1] Mixing DES levels? > > > > We currently have two IP440's running 4.1 SP2 3Des. > > > > I need to add two new Firewalls (possible IP330, possible IP440) to > > segregate our network from a Vendor router segment (already throught about > > just making this another zone off of existing FW's, but decided to put in > > totally different new units for this task). > > > > Can the new one be less than 3Des? Or does everything have to stay the > > same? > > > > > ============================================================================ > > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > > ==== > > > > > ============================================================================ > > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > > ==== > > > > > ============================================================================ > ==== > > To unsubscribe from this mailing list, please see the instructions at > > http://www.checkpoint.com/services/mailing.html > > > ============================================================================ > ==== > > ================================================================================ > To unsubscribe from this mailing list, please see the instructions at > http://www.checkpoint.com/services/mailing.html > ================================================================================ ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
|
