Great Circle Associates Firewalls
(June 1997)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: TT0000011229 Re: Pulling out Checkpoint-1 firewalls
From: Frank Willoughby <frankw @ in . net>
Date: Fri, 27 Jun 1997 11:07:23 -0500
To: Mark Teicher <mht @ clark . net>
Cc: firewalls @ GreatCircle . com
In-reply-to: <3 . 0 . 1 . 32 . 19970627094335 . 008b5420 @ clark . net>

At 09:43 AM 6/27/97 -0400, you wrote:

Mark, 

Thanks for taking the time to get this cleared up.  Your mail from
Checkpoint is greatly appreciated.  It was an intelligent mail and 
deserves an intelligent response.  It also raised some issues 
(thankfully, more on the lines of firewalling technology than spy 
stuff).  FWIW, this will be my last mail on the Mossad issue.


>Forwarded response from Checkpoint concerning Mossad..  
>
>
>/mark
>
>>To: mht <mht @
 clark .
 net>
>>Cc: deb <deb @
 checkpoint .
 Com>
>>From: support <support @
 checkpoint .
 Com>
>>Date: 27 Jun 97 14:24:35 ZET
>>Subject: TT0000011229  Re: Pulling out Checkpoint-1 firewalls
>>
>> 
>> Hi,
>>
>>>>Why do I hear about companies pulling out Checkpoint-1 firewalls for
>>>>security reasons, or security expert recommendations to remove Checkpoint?
>> This the first we've heard about it. Granted, Firewall-1, by itself,
>>will not secure your network because you can misconfigure it, but that's
>>not a reason to pull it out and leave yourself completely exposed - it's 
>>a reason to learn how to configure it properly.
>>
>>>>I've heard some (unverified) concern about a possible Mossad/Checkpoint
>>>>connection, but is there something hard and specific that I'm missing,
>>>>besides the fact the firewall has filters but no proxies?

The filters but no proxies issue has nothing to do with it.  The lack of
proxies is a technical area which I think should be addressed in another 
mail thread.


>> The fact that Firewall-1 does not have proxies is because we don't 
>>need them. Stateful inspection provides you with the same level of security,
>>but without having to go through a proxy, which has a high performance cost.

Interesting.  I recently spoke to another Checkpoint employee who claimed 
that the Firewall-1 does have proxies and that the proxies are there because 
some customers required it.  If it's not too much trouble, could you check 
into this & send me an e-mail with the results?


>> As for our alleged connection with the Mossad, I can assure you we 
>>don't have such a connection. However, that might not be enough for you, 
>>because even if I were a Mossad agent I'd still reassure you I wasn't.
>> Instead, I'll appeal to your logic. Any Firewall you may buy was 
>>written in a country with a security service, which could have written
>>a backdoor into it. 

Thanks for the clarification.  As mentioned earlier, I'm dropping this 
thread.


>>Is there any reason why the Israely Mossad worries
>>you more than the US's NSA or any other equivalent agency? 

Well, an employee of the CIA (Pollard?) was caught spying on behalf 
of Israel only 2-3 years ago.  

On a separate, but similar note, Checkpoint has been submitted for 
evaluation to be used in an environment in which it may be connected
to classified networks. (This info is not classified, as it is on an 
Internet web site).  

Please don't be offended at this, but I'm uncomfortable with the 
thought that a product from a nation which was caught spying on 
the USA may potentially be connected to classified networks.  
However, this is an issue for our gov't to deal with - not me, 
and not this list.



>>If you're
>>worried that Israely law makes Checkpoint but a backdoor into the Firewall
>>in a way that US laws don't, I can assure you that is not the case,
>>although you wouldn't be able to verify me without an expensive legal
>>search, which you will obviously have to do yourself.

I didn't mention the backdoor & won't address it.


>> There is another matter, and that is that a major intelligence
>>agency, such as the Mossad or the N.S.A. probably has other ways to
>>get at your computers. For an analysis of this risk, please refer to
>>the PGP documentation, available at URL
>>ftp://nic.funet.fi/pub/crypt/cryptography/pgp/doc/pgp23dosA.zip
>> 

Ori, Thanks for the pointer and more importantly, thanks for your
polite response to a sensitive subject.  I appreciate your candor
and the time you put into writing your mail.  Thanks again.


>> Sincerely,
>>  Ori    Pomerantz
>>  Support Engineer

Best Regards,


Frank
PS - As far as I am concerned, the threads about the Mossad are dead.
     If someone else wants to continue on with the thread, they will
     do so without my help.
The opinions of the author of this mail may not necessarily be 
representative of the opinions of Fortifed Networks, Inc.

Fortified Networks, Inc. - http://www.fortified.com/
Expert (vendor-neutral) Computer and Network Security Consulting
Phone: (317) 573-0800     Fax:   (317) 573-0817


Follow-Ups:
References:
Indexed By Date Previous: Re: Stronger authentication for inbound HTTP
From: Eric Vyncke <evyncke @ cisco . com>
Next: Value added to Gauntlet by V-One?
From: jcarson @ mail . ameritel . net (Smartronix)
Indexed By Thread Previous: TT0000011229 Re: Pulling out Checkpoint-1 firewalls
From: Mark Teicher <mht @ clark . net>
Next: Re: TT0000011229 Re: Pulling out Checkpoint-1 firewalls
From: Mark Teicher <mht @ clark . net>

Google
 
Search Internet Search www.greatcircle.com