WatchGuard Firebox SSL VPN Gateway review
The growing popularity of SSL VPNs can’t be ignored. Most appliance vendors that have traditionally focused on IPSec VPNs are now being forced to toe the line and offer a solution as well. WatchGuard’s new Firebox SSL VPN Gateway is primarily aimed at small businesses. The price of the review unit includes a licence for up to five concurrent SSL VPN tunnels, and the Firebox can support a maximum of 205 concurrent tunnels.
The hardware specification isn’t anything to shout about. Although there are six Fast Ethernet ports on the front panel, only the first two are active. WatchGuard advised us that the remaining four may be used in future releases. The main web interface provides easy access to basic administrative functions, but all configuration is run from WatchGuard’s Citrix-based tool, which can be downloaded from the browser interface. The first job will be to license the appliance, and we wouldn’t recommend using the Citrix interface as, although it accepted our licence file, it refused to apply it. WatchGuard advised us that licensing should be run from the main web interface.
WatchGuard takes a different tack to implementing SSL VPNs. Its secure client mode merely acts as a transport layer, which provides a secure tunnel to the LAN. It’s actually quite similar to the mode of operation used by IPSec VPNs. As such, it would work well for businesses that want to give remote users the same access as if they were on the LAN but over SSL. However, plenty of resource access controls are provided – you can use a combination of IP addresses, ports and TCP/UDP protocols to define specific portals. For authentication, the appliance has a local user database, or LDAP, RADIUS or RSA servers can be used instead. Groups determine what resources are to be made available and each can contain multiple resource declarations. Likewise, users can be members of more than one group, simplifying ongoing access control.
When a remote user logs onto the appliance, they’re greeted by a customisable web page that offers two types of access. If they’re at a PC deemed private, they can select secure client mode, which creates a connection and allows them to access LAN resources according to their user credentials. The Kiosk mode is for situations when a user may be in an insecure area, such as an Internet cafe. This mode opens up a VNC (virtual network computing) style connection to the appliance, so only images are sent over the connection. Any temporary files or cookies remain on the appliance’s hard disk for the duration of the session, so nothing is left on the user’s system. Extra resources can be declared for kiosk users. It’s possible to define network shares for them and decide whether to allow the Citrix ICA client or Windows Remote Desktop Client to be accessible. As with PortWise, the Firebox can enforce end-point security to ensure the client systems meet certain criteria. You can create host check rules for Registry entries, files and processes, and use any combination with Boolean expressions and apply them to selected groups.
Compared to PortWise, the Firebox SSL VPN Gateway would make better value for smaller remote workforces. It’s fairly easy to configure and provides good resource access controls, along with support for persistent and kiosk client modes.