IKE: Allows for DES or 3DES to be used to encrypt the packets. Packets are encapsulated in IP Protocol 50 (i.e. IPSEC) or UDP port 2746, depending on whether or not UDP Encapsulation is used.
fwz without encapsulation (available in NG FP1 and before): Uses fwz1 or DES to encrypt the packets. Only the data portion of the packet is encrypted. The IP headers are left alone.
fwz with encapsulation (available in NG FP1 and before): Same as above, except packets are encapsulated in IP Protocol 94 packets.
Visitor Mode (NG AI and above): Tunnels using a standard HTTPS stream. By default, runs over port 443, but can use any port.
When using Transparent Mode in NG, or using 4.1 and earlier, the securemote client will, as it deems necessary, establish an encrypted session with the firewall. Before it can do this, the securemote client needs to know what hosts it can talk to encrypted and what the encryption keys are. This is accomplished by fetching the site from the remote server. This happens on TCP port 264 to the firewall module. securemote 4.0 used TCP port 256 to the management station.
In NG when using Connect Mode, the connection to the encryption domain is controlled by the end user. The connection dialog looks very similar to a dial-up networking. The user can select the site he wishes to connect to, change options, and then connect. Optionally, the start of the VPN connection can be tied into the domain logon in Windows 2000/XP.
Once securemote determines that it needs to encrypt traffic to the firewall, authentication is performed. Authentication can be a simple password, SKey, SecurID, or a certificate, but all data between the firewall and the client is encrypted so the password (even if it is a simple password) is not divulged in the clear. This happens between the firewall and the client on UDP port 259 (source port and destination port) if fwz is used or on UDP port 500 if IKE is used.
No comments:
Post a Comment