| Watchguard
Firebox SSL VPN FAQ |
Firebox®
SSL Core™ VPN Gateway Frequently Asked
Questions
Background
Q:
What are the specific trends in the
SME space driving the need for an
SSL product?
A: As a new technology,
SSL VPNs have been primarily designed
for larger organizations. Now with
this new product, SSL technology can
be utilized easily and cost effectively
by the SME. Workforces, including
those in small businesses, are increasingly
mobile and able to benefit from remote
access solutions. SMEs will be investing
more on their IT infrastructure, but
will do so conservatively, focusing
on products that are proven and reliable.
Secure remote access over SSL is one
such technology.
Q:
How does the SSL product tie into
WatchGuard's integrated security strategy?
A: In addition to
providing its brand of simple and
strong security through integrated
security (or Unified Threat Management)
appliances, WatchGuard has identified
a need amongst its SME customer base
for specialized security appliances.
By quickly deploying software on the
robust Firebox® X Core™ platform,
WatchGuard is expanding the breadth
of offerings for its install base,
as well as reach into new customers
with these stand-alone products.
Functionality
and Deployment
Q:
What does the Firebox SSL Core VPN
Gateway do?
A: Firebox® SSL Core
VPN Gateway ensures hassle-free, universal
access to any network application
or resource - with enterprise-class
security and dependability. Its full-featured
Secure Access client mode provides
mobile users with an in-office experience,
while Kiosk mode enables easy access
to Web-based applications from Web-enabled
devices. All with the strong security
and administrative control demanded
by today's security conscious organizations,
including built-in endpoint enforcement
and two-factor authentication support.
You'll get up and running fast with
streamlined deployment and management.
No application connectors, no network
reconfiguration, no extras to buy.
No client hassles.
Q:
Is this a firewall appliance?
A: No, it's a VPN
gateway appliance that facilitates
secure access to a network utilizing
SSL-encrypted tunnels.
Q:
What software is running on this appliance?
A: WatchGuard has
partnered with Citrix® to deliver
robust SSL VPN technology to the mid-market.
The software running on Firebox SSL
is based on the Citrix Access Gateway
software version 4.9.
Q:
Where should this appliance be deployed
on the network?
A: The Firebox SSL
is ideally deployed in the following
configurations:
- Connected
to a LAN behind a firewall
- Straddling
a firewall
- Connected
to a LAN behind a server load balancer
Q:
Can I deploy the Firebox SSL behind
any firewall?
A: The Firebox SSL
can be deployed behind any firewall,
but ideally, it should be deployed
behind a WatchGuard Firebox® X integrated
security appliance. When connected
to the Firebox X through the DMZ,
additional content filtering, behavioral
analysis, intrusion prevention, and
malware protection can be applied
to traffic running through the Firebox
X.
Q:
What applications and network resources
can be accessed using the Firebox
SSL?
A: Any application
or network resource can be accessed
through the Firebox SSL Core VPN Gateway,
without having to modify the application
or DNS. Firebox SSL is application-agnostic,
protocol-agnostic, and offers access
to any resource on the network. These
include:
- Distributed
Windows® and UNIX® applications
- Network
file shares
- Data
and collaboration services
- SSH
- Telnet
- Telephony
services using VoIP soft phones
Applications
can be accessed in their native form;
there's no need for any custom development
or "webification."
Q:
What protocols does the Firebox SSL
support?
A: The Firebox SSL
supports all protocols including TCP,
UDP (for VoIP and video), RAS, and
ICMP.
Q:
How can any application or network
resource be accessed using the Firebox
SSL?
A: Firebox SSL provides
two powerful modes of access out of
the box:
- Secure
Access client mode utilizes
a Web-deployed, auto-updated client
that enables access to any application
or information resource in its native
interface over an SSL-encrypted
tunnel.
- Kiosk
mode offers one-click access
from Microsoft® Windows® and Java™-enabled
Web browsers to Web-based applications,
an integrated Citrix® ICA client,
Remote Desktop, SSH, Telnet 3270
emulator, VNC servers, and shared
network drives over an SSL-encrypted
tunnel.
Q:
How many concurrent tunnels will be
available?
A: Firebox SSL Core
VPN Gateway supports up to 205 concurrent
tunnels, and ships with 5 tunnels
enabled. Additional tunnels are available
in packs of 5, 10, 20, and 50. 3 Kiosk
mode tunnels are supported.
Q:
Is a tunnel the same as a user?
A: Yes, a tunnel
is a concurrent, end-to-end connection
for a user. If a Firebox SSL has 10
activated tunnels, 10 users can access
the network simultaneously. If the
11th user tries to access the Firebox
SSL Core VPN Gateway, that user will
not be able to do so until one of
the first 10 users disconnects.
If 100 users
need access to 3 different networks
behind the Firebox SSL, only 100 tunnel
licenses are needed.
Q:
What devices can be used to access
the Firebox SSL?
A: When accessing
the network using Secure Access client
mode, devices must be running Windows
2000, Windows 2000 Professional, Windows
2000 Server, Windows XP, XP Home,
XP Professional, and all Linux 2.4
platforms.
When accessing
the network using Kiosk mode, devices
must be running a Windows browser
or Java-enabled browser (JVM v1.4.2
or higher).
Q:
With built-in endpoint security, what
kinds of attributes can be verified
on the access device before it is
allowed to access the network?
A: Before a remote
device can establish a connection
to the network, its security posture
can be verified using the integrated
configurable host-checking capabilities.
Device attributes that can be verified
include:
- Registry
checks
- Check
corporate asset tags
- Confirm
that key security software is
installed
- File
checks
- Verify
the proper antivirus definition
files version/dates are present
- Confirm
appropriate OS patches and security
updates are installed on the
device
- Process
checks
- Verify
that antivirus applications,
personal firewalls, or other
security software is running
- Check
for unwanted processes, such
as keyloggers
- This
is an executable checksum, which
makes sure it's the REAL executable
If any processes
designated as required for access
should be disabled or stop during
a VPN session, the VPN session will
be suspended.
Q:
What encryption and certificates are
employed with the Firebox SSL?
A: The Firebox SSL
supports all authorized SSL digital
certificates and utilizes SSL (v1
and v2) and TLS (v3) for packet encryption.
It supports 196-bit encryption, as
well as lower or higher bit values
supported, based on the certificate
in use. Firebox SSL supports all OpenSSL
ciphers: CAST, CAST5, DES, 3DES, IDEA,
RC2, RC4, and RC5.
Q:
What authentication servers/processes
are supported?
A: The Firebox SSL
Core VPN Gateway supports multiple
authentication schemes including:
- HTTP
401 Basic
- Windows
Active Directory
- RADIUS
- one or more
- LDAP
- one or more
- Local
user group authorization
- Two
factor authentication: RSA SecurID®
(RSA ACE/Server) - one, Next Token
Mode
- Realm-based
authentication - multiple authentication
servers
- Single
sign-on: automatic drive mapping
and installation scripts
Q:
What management interfaces are used
to configure and manage the Firebox
SSL?
A: Administration
is extremely easy and straightforward,
with an intuitive interface, yet also
provides depth for those who desire
it. The Firebox SSL is administered,
configured, and managed using a robust
Web/Java interface.
- Configuration
and policy management is launched
through the Java-based console
- Login
to the console is accessed through
the Administration Portal page
Q:
What advanced networking features
are available with the Firebox SSL?
A: The Firebox SSL
Core VPN Gateway includes a variety
of networking capabilities that offer
flexibility for today's evolving networks.
Some of these features include:
- Ability
to enable/disable split tunneling
- Support
for load balancers
- Dynamic
routing using RIP/RIP2
- Static
routing
- Split
DNS for DNS failover
- Round
robin client connection failover
- IP
Pooling
- Configurable
session timeout
Purchasing
Q:
How much does the Firebox SSL Core
VPN Gateway cost and what is delivered?
A: The Firebox SSL
Core VPN Gateway comes with a hardened
Linux appliance - including a hard
disk drive - SSL VPN software, five
concurrent tunnels, and 90 days of
LiveSecurity® Service.
Additional
tunnels can be purchased in increments
of 5, 10, 20 and 50 as your organization's
secure access needs grow. Tunnel packs
are stackable.
Pricing for
the Firebox SSL Core VPN Gateway and
additional tunnels is available from
your local WatchGuard sales representative
and your local distributor or reseller.
Q:
Where can the Firebox SSL be purchased?
A: The Firebox SSL
is available through WatchGuard resellers.
Q:
How are additional tunnels obtained?
A: Additional concurrent
tunnels can be purchased in stackable
tunnels packs via a license key.
LiveSecurity®
Service
Q:
Is any support included with this
product?
A: Yes, 90 days of
LiveSecurity will be included with
this product, and you will then have
the option to purchase a 12- or 24-month
LiveSecurity Service subscription.
This support subscription provides:
- Software
Maintenance - hot fixes,
patches, and software upgrades -
for the term of the subscription
- WatchGuard
Technical Support - by
phone and Web-based; plus access
to the WatchGuard knowledge base
- Hardware
Warranty for the term of
the subscription
- LiveSecurity
E-mail Alerts, Broadcasts,
and other related editorial content
Q:
Do I need to buy support with this
product?
A: You are not required
to purchase support with the product,
although it is highly recommended.
Q:
Will there be 90 days of support included
with this product?
A: Yes, each appliance
will ship with 90 days of LiveSecurity
Service.
Q:
Who do I go to for support?
A: WatchGuard will
provide support to its customers who
purchase LiveSecurity. Technical support
services may also be provided by qualified
WatchGuard Security Partners (WSPs),
as well.
Q:
How is LiveSecurity Service renewed?
A: You must purchase
and activate two separate license
keys in order to renew LiveSecurity
on your Firebox SSL. The first key
is for the appliance itself and the
second key is for the tunnels active
on the appliance. You will need both
renewal keys in order to renew LiveSecurity;
otherwise the LiveSecurity activation
will not be able to be completed.
Example:
A Firebox SSL with 25 activated tunnel
licenses needs to have its LiveSecurity
subscription renewed. You will need
two LiveSecurity renewal keys to complete
your renewal activation.
The two keys needed in this example:
Firebox SSL Core 1-Year LiveSecurity
Renewal
Firebox® SSL 25 Tunnel 1-Year LiveSecurity
Renewal
Citrix®
and WatchGuard® Partnership
Q:
Why did WatchGuard® and Citrix® decide
to form this OEM relationship? Why
now? What are the benefits for each
company?
A: WatchGuard has
been providing mobile user VPN functionality
using IPSec for years and was evaluating
SSL technology to determine the best
path into this market. The OEM agreement
with Citrix was logical as it allowed
WatchGuard to implement what the company
has determined to be the best SSL
VPN solution available on the market
today. WatchGuard benefits by joining
forces with the leader in access platform
solutions to enter the SSL market,
and Citrix benefits from WatchGuard's
security expertise, go-to-market model,
and support services for the SME market.
|
