Multi-Tech Systems RF600, RF660, RF760

Chapter 8 – Frequently Asked Questions (FAQs)

Multi-Tech Systems, Inc. RouteFinderVPN RF760/660/600VPN User Guide (PN S000323D) 136

Q19. Why is the export of cryptography controlled?

A19. Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes or even

as a weapon of war. In wartime, the ability to intercept and decipher enemy communications is crucial. Therefore,

cryptographic technologies are subject to export controls. U.S. government agencies consider strong encryption to be

systems that use key sizes over 512 bits or symmetric algorithms (such as triple-DES) with key sizes over 56 bits.

Since government encryption policy is influenced by the agencies responsible for gathering domestic and international

intelligence (e.g., the FBI and NSA), the government tries to balance the conflicting requirements of making strong

cryptography available for commercial purposes while still making it possible for those agencies to break the codes, if

need be.

To most cryptographers, this level of cryptography (56 bits for symmetric algorithms) is not necessarily considered

"strong". Government agencies use the terms "strategic'' and "standard'' to differentiate encryption systems.

"Standard'' refers to algorithms that have been drafted and selected as a federal standard (DES being the prime

example). The US government defines "strategic'' as any algorithm that requires "excessive work factors'' to

successfully attack. Unfortunately, the government does not frequently publish criteria for what it defines as

"acceptable'' or "excessive'' work factors.

Q20. Can digital signature applications be exported from the U. S.?

A20. Digital signature applications are one of the nine special categories of cryptography that automatically fall under the

more relaxed Commerce regulations; digital signature implementations using RSA key sizes in excess of 512 bits

were exportable even before the year 2000. However, there were some restrictions in developing a digital signature

application using a reversible algorithm (that is, the signing operation is sort of the reverse operation for encryption),

such as RSA. In this case, the application should sign a hash of the message, not the message itself. Otherwise, the

message had to be transmitted with the signature appended. If the message was not transmitted with the signature,

the NSA considered this quasi-encryption and the State controls would apply.

Q21. Can DES be exported from the U.S. to other countries?

A21. For years, the government rarely approved the export of DES for use outside of the financial sector or by foreign

subsidiaries of U.S. companies. Several years ago, export policy was changed to allow the unrestricted export of DES

to companies that demonstrate plans to implement key recovery systems in a few years. Today, Triple-DES is

exportable under the regulations described above.

Q22. I want to use DNAT with multiple original IPs, but my external NIC has just one IP.

How can I do this?

A22. Make sure that the request reaches the RouteFinder, and then use DNAT to redirect the request to the Web servers.

There are two ways to do this:

1. Bind an alias to the external interface, so that it answers ARP requests for this address and the packets are sent

to the MAC address of this NIC. You can do this in Network Setup > Interface (refer to Chapter 3 of this

manual).

2. Tell your router to send those packets directly to the RouteFinder's interface by adding a static routing entry to

the RouteFinder.

Q23. My FTP clients want to use FXP transfers on my Server. How can I do that?

A23. For a fully functional FTP server (able to do FXP), the RouteFinder's "stateful inspection" function is not enough. Due

to security concerns, the RouteFinder will only allow data connections from and to the same client IP as the control

connection.

The example below shows how to make a "glftpd" server work behind a RouteFinder, which does both packet filtering

and DNAT. The general principle applies to all other FTP servers too, so you can use it even if you use another server

daemon.

Let‘s assume that you have glftpd set up in your LAN on address 192.168.1.10 with control port 23456. Your

external, official IP on the RouteFinder is 1.2.3.4.

Go to Networks & Services > Networks and define the host entries for FTP server and external RouteFinder

interface:

FTP_Server 192.168.1.10 255.255.255.255

ASL_Extern 1.2.3.4 255.255.255.255

Go to Networks & Services > Services and define entries for the control connection and the passive mode port

range that the RouteFinder will use.

FTP_ALTControl TCP 1024:65535 23456

PASV_Range TCP 1024:65535 3000:4000

Note that we selected the ports from 3000-4000 to be our passive connection range in this example. You should

select a range matching your setup, do not make it too small, and make sure you do not need any ports in this range

for other services.

Go to Packet Filters > Packet Filter Rules and add the following rules:

Any FTP_ALTControl FTP_Server Allow

This rule allows connections of clients to the FTP server.

FTP_Server Any Any Allow