FWZ, IPSec, and IKE

Previous versions of FireWall-1 supported a variety of key-management schemes. In NG, the only supported scheme is IKE. FireWall-1 NG FP1 and earlier also support the FWZ scheme, which Check Point deprecated in NG FP2. I briefly describe FWZ here mostly for historical reasons?its use is not described in this book.


FWZ is Check Point's proprietary key-management system and has been available since Check Point made VPN technology part of FireWall-1 in version 2.0. FWZ incorporates the following:

  • A CA (a FireWall-1 management console)

  • Asymmetric encryption for the exchange of CA, DH, and per-session encryption keys

  • Symmetric encryption for actual data encryption using FWZ1, a proprietary Check Point algorithm that encrypts at 48 bits, or DES, the U.S. government's data encryption standard at 56 bits

  • Optional data integrity checking with an MD5 hash

  • Out-of-band management of encryption keys with the RDP protocol (which runs on UDP port 259)

Unlike most encryption methods, which encrypt the entire packet (data and headers) and encapsulate it in a new packet, FWZ encrypts only the data portion of the packet, leaving the original IP headers intact. This means that little additional transmission overhead is incurred. However, it also means that if you want other hosts to access nonroutable address space behind your firewall, you must also perform NAT in order to participate in a VPN.

Due to the numerous issues with FWZ, including the fact it is nonstandard and supports only weak encryption algorithms, Check Point decided to drop FWZ in FireWall-1 NG FP2 and later.


IPSec is a set of standards designed by the Internet Engineering Task Force (IETF), which define how hosts communicate with one another in a secure manner. In tunnel mode (which is what FireWall-1 uses), all communication between any two hosts is completely encapsulated (both IP headers and data) in new packets, which adds up to 100 bytes per packet.

IPSec has two main protocols: an Authentication Header (AH), which is designed to provide integrity and authentication without confidentiality to IP datagrams, and the Encapsulating Security Payload (ESP), which is designed to provide integrity, authentication, and confidentiality to IP datagrams. AH and ESP can be used together or separately, but AH is rarely used in IPSec because ESP provides everything that AH provides plus encryption. In fact, FireWall-1 NG does not even support AH, though you could configure ESP with no encryption and effectively get the same result.

Many different encryption algorithms are used in IPSec for both encryption and data integrity checking. Some of them include the following:

  • 3DES (168-bit)[2]

    [2] 3DES is essentially the DES algorithm run at 56 bits with three separate passes using two different encryption keys. Although many people claim this is 168-bit encryption (3 x 56 = 168), there are really only 112 bits of secret key.

  • DES (40-bit and 56-bit)

  • AES (128-bit and 256-bit)

  • CAST (40-bit)



Not all of these encryption algorithms are part of the IPSec standard. Extra care should be taken when setting up a VPN with third-party products.

For data integrity purposes, FireWall-1 uses these algorithms:

  • RSA (768-bit, 1024-bit, and 1536-bit)

  • DH (768-bit, 1024-bit, and 1536-bit)


IKE is the standard IPSec key-management scheme in use today. It supports automated key exchange and Public Key Infrastructure (PKI), which allows encryption keys to be managed by a separate central server (e.g., the ICA). A "pre-shared secret" (effectively a password) can also be established between two nodes.

Security Associations

Used as part of IPSec, security associations (SAs) are security policies defined for communication between two hosts or subnets. A key represents the relationship between these two. The IKE protocol is used to securely communicate these SAs.