Previous versions of FireWall-1 supported a variety of key-management schemes. In NG, the only supported scheme is IKE. FireWall-1 NG FP1 and earlier also support the FWZ scheme, which Check Point deprecated in NG FP2. I briefly describe FWZ here mostly for historical reasons ”its use is not described in this book. FWZFWZ is Check Point's proprietary key-management system and has been available since Check Point made VPN technology part of FireWall-1 in version 2.0. FWZ incorporates the following:
Unlike most encryption methods , which encrypt the entire packet (data and headers) and encapsulate it in a new packet, FWZ encrypts only the data portion of the packet, leaving the original IP headers intact. This means that little additional transmission overhead is incurred. However, it also means that if you want other hosts to access nonroutable address space behind your firewall, you must also perform NAT in order to participate in a VPN. Due to the numerous issues with FWZ, including the fact it is nonstandard and supports only weak encryption algorithms, Check Point decided to drop FWZ in FireWall-1 NG FP2 and later. IPSecIPSec is a set of standards designed by the Internet Engineering Task Force (IETF), which define how hosts communicate with one another in a secure manner. In tunnel mode (which is what FireWall-1 uses), all communication between any two hosts is completely encapsulated (both IP headers and data) in new packets, which adds up to 100 bytes per packet. IPSec has two main protocols: an Authentication Header (AH), which is designed to provide integrity and authentication without confidentiality to IP datagrams, and the Encapsulating Security Payload (ESP), which is designed to provide integrity, authentication, and confidentiality to IP datagrams. AH and ESP can be used together or separately, but AH is rarely used in IPSec because ESP provides everything that AH provides plus encryption. In fact, FireWall-1 NG does not even support AH, though you could configure ESP with no encryption and effectively get the same result. Many different encryption algorithms are used in IPSec for both encryption and data integrity checking. Some of them include the following:
NOTE!
For data integrity purposes, FireWall-1 uses these algorithms:
IKEIKE is the standard IPSec key-management scheme in use today. It supports automated key exchange and Public Key Infrastructure (PKI), which allows encryption keys to be managed by a separate central server (e.g., the ICA). A "pre-shared secret" (effectively a password) can also be established between two nodes. Security AssociationsUsed as part of IPSec, security associations (SAs) are security policies defined for communication between two hosts or subnets. A key represents the relationship between these two. The IKE protocol is used to securely communicate these SAs. |