[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [FW1] SecuRemote keys
This is the way I'm guessing it works:
-You load SecuRemote on your PC and it generates a set of keys.
-You create a site by giving the name or IP address of the FW-1 box you want
to create the VPN with
-Your PC sends its public key to the FW-1 box and requests it's public key
-The FW-1 box sends it's public key to the PC. You are told to verify
the IP address and Key ID that was sent to you.
-Now each side has the other's public keys
-In order for a VPN to be create you have to have a valid user account on
the FW-1 box.
Dan Lundien, CCNA, CCSE
Sr. Systems Administrator
AppNet, Inc.
> From fw-1-mailinglist-owner@lists.us.checkpoint.com Tue Mar 14 10:06 EST
>2000
> From: SAdams@itsqs.com
> To: carric@com2usa.com, fw-1-mailinglist@lists.us.checkpoint.com
> Subject: RE: [FW1] SecuRemote keys
> Date: Tue, 14 Mar 2000 09:58:27 -0500
> MIME-Version: 1.0
>
>
> The FW1 box is its own CA, that's true. But it has no way of validating the
> public key from the SecuRemote client. The only way to validate the public
> key from the client is to have a CA use its private key to encrypt the
> public key of the client. The CA's public key can then be used to decrypt
> the message and learn what the client's public key is. This method can be
> trusted, as only the CA would be able to encrypt the message, as only the CA
> knows its own private key. My SecuRemote client doesn't have a CA to
> validate its public key, and it doesn't do my client any good to use the
> public key of the FW1 CA to encrypt its own public key, as the public key
> used by the FW1 CA is known by all and proves nothing.
>
> So the question(s) remain(s). How does the FW1 box know that it has a valid
> public key from my client? And if it has no way of knowing that it has a
> valid public key, how does it generate a session key for communicating with
> my client?
>
> Steve
> -----Original Message-----
> From: Carric Dooley [mailto:carric@com2usa.com]
> Sent: Monday, March 13, 2000 10:37 PM
> To: SAdams@itsqs.com; fw-1-mailinglist@lists.us.checkpoint.com
> Subject: Re: [FW1] SecuRemote keys
>
>
>
> It is it's own CA.
>
>
> Carric Dooley
> Network Security Consultant
>
> "The probability of someone watching you is proportional to the stupidity of
> your action."
> -Anon?
> -----Original Message-----
> From: SAdams@itsqs.com <SAdams@itsqs.com>
> To: fw-1-mailinglist@lists.us.checkpoint.com
> <fw-1-mailinglist@lists.us.checkpoint.com>
> Date: Monday, March 13, 2000 8:51 AM
> Subject: RE: [FW1] SecuRemote keys
>
>
> >
> >Hi, thanks for your response. What I really meant to ask was, how does the
> >FW1 box get the client's public key in a way it knows it can trust? My
> >client has no CA to vouch for the authenticity of the public key it sends.
> >So how does the FW1 box know that it has a valid public key?
> >
> >-----Original Message-----
> >From: Rob Plaenk [mailto:rplaenk@brak.com]
> >Sent: Monday, March 13, 2000 8:05 AM
> >To: 'SAdams@itsqs.com'
> >Subject: RE: [FW1] SecuRemote keys
> >
> >
> >it does this via UDP port 259
> >
> >-----Original Message-----
> >From: SAdams@itsqs.com [mailto:SAdams@itsqs.com]
> >Sent: Friday, March 10, 2000 4:26 PM
> >To: fw-1-mailinglist@lists.us.checkpoint.com
> >Subject: [FW1] SecuRemote keys
> >
> >
> >
> >I have a question about how key exchange works between SecuRemote and FW-1.
> >I use the FWZ encryption scheme on the FW-1 network object, and I generate
> >the CA key locally. I install the SecuRemote software, and then I
> configure
> >a site, giving it the IP address of my FW-1 box. The SecuRemote software
> >fetches the CA key from the FW-1 box. Cool. I assume that my SecuRemote
> >client generates its own public-private key pair in order to do the DH
> thing
> >when I first contact the firewall and login. Here's my question: How does
> >the FW-1 box get my client's public key? I don't see any reference to this
> >anywhere, and I'm kind of curious.
> >
> >TIA,
> >Steve Adams
> >
> >
> >===========================================================================
> =
> >====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =
> >====
> >-----
> >This message was scanned by Aladdin/eSafe Protection Gateway in
> >coordination with Check Point Firewall-1. This protection does not ensure
> >this message is virus free, however every precaution possible has been
> >taken on our part.
> >
> >
> >===========================================================================
> =====
> > To unsubscribe from this mailing list, please see the instructions at
> > http://www.checkpoint.com/services/mailing.html
> >===========================================================================
> =====
> >
>
>
>
> ============================================================================
> ====
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ============================================================================
> ====
>
>
>
>================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
>
>================================================================================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
|
