Re: [FW-1] Encryption in China (PRC)

Subject:	Re: [FW-1] Encryption in China (PRC)
From:	Ray <sixsigma44 AT HOTMAIL DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Wed, 25 May 2005 17:19:45 -0400

We just started on this exercise as well and have gotten guidance from
several large US corporations, the ones with very short stock market
symbols. Here's what we've been told:

You cannot export strong crypto products into China for use by Chinese
citizens without both US export approval and Chinese import approval. Your
own US citizen employees can take their laptops with encryption into China
for a maximum of one year as long as they maintain control of the laptop,
unless they're a salesperson. If they're in sales, the one year rule applies
with the additional stipulation that they cannot stay in one place for more
than three months. I have no idea why.

If the Chinese citizens can legally buy the hardware and software in China,
they can legally use it for encrypted communications outside of China.

To a company, everyone tried encrypted VPNs back to the US over the Internet
and eventually gave up due to performance and stability issues. Each one of
them now run leased lines back to Hong Kong and then on to the US and they
are not running encryption over the leased lines into Hong Kong.

Some of them are reliably using encrypted site-to-site VPNs between PRC
sites. It's only the cross-border stuff that has problems. For remote access
they VPN to one of their branch offices and on via the leased lines.

Kind of discouraging, but not unexpected,

Ray

From: "Matthew S. Cramer" <mscramer AT ARMSTRONG DOT COM>
Reply-To: Mailing list for discussion of Firewall-1
<FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Subject: Re: [FW-1] Encryption in China (PRC)
Date: Wed, 25 May 2005 14:12:44 -0400

On Wed, May 25, 2005 at 11:06:29AM +0200, Michael Schwartzkopff wrote:
> Hi,
>
> does anybody know how the laws about encryption in China are? Is it
allowed to
> establish a encrypted VPN tunnel form the Beijing office to the
headquarters
> outside of China?

We have encrypted connections from all over the PRC connecting back to our
headquarters in the States.  IANAL, but the US export laws changed in
the last few years; our Chinese locations are part of a wholly
owned subsidy, meaning we could send strong crypto products there.  I
am not sure about German law.  Nothing under Chinese law prohibited us
from deploying the strong crypto there for our business needs.

To deploy the crypto I first checked our domestic export regulations
and then deferred compliance with Chinese law to our Chinese
business's IT management.  They came back and said "this is not a
problem".

At one time we used to backhaul *all* Internet traffic across frame
from China, allowing the sites to browse the web and bypass the
alledged "Great Firewall of China".  The Chinese were not concerned to
my knowledge.  Now they use local ISPs but they are more concerned
with performance than potential filtering.

Matt

--
Matthew S. Cramer <mscramer AT armstrong DOT com>          Office: 717-396-5032
Infrastructure Security Analyst                     Fax:    717-396-5590
Armstrong World Industries, Inc.                    Cell:   717-917-7099

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================


=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Encryption in China (PRC), Michael Schwartzkopff Re: [FW-1] Encryption in China (PRC), Russell Aspinwall Re: [FW-1] Encryption in China (PRC), Matthew S. Cramer Re: [FW-1] Encryption in China (PRC), Ray <= Re: [FW-1] Encryption in China (PRC), Matthew S. Cramer Re: [FW-1] Encryption in China (PRC), Ian Brown Re: [FW-1] Encryption in China (PRC), Michael Schwartzkopff Re: [FW-1] Encryption in China (PRC), Ian Brown Re: [FW-1] Encryption in China (PRC), Bernard Parker Re: [FW-1] Encryption in China (PRC), Michael Schwartzkopff Re: [FW-1] Encryption in China (PRC), Bernard Parker

Previous by Date:	Re: [FW-1] Encryption in China (PRC), Matthew S. Cramer
Next by Date:	Re: [FW-1] How to Backup all configuration from my Nokia IP350, Harold Rugama C
Previous by Thread:	Re: [FW-1] Encryption in China (PRC), Matthew S. Cramer
Next by Thread:	Re: [FW-1] Encryption in China (PRC), Matthew S. Cramer
Indexes:	[Date] [Thread] [Top] [All Lists]