Sneak Preview: WatchGuard's SSL-Core VPN Gateway

SSL VPNs have become more robust and easier to deploy, making them ideal for keeping road warriors safely connected without the complexities of IPsec. A prime example is WatchGuard Technologies' Firebox SSL Core VPN Gateway. Based on the vendor's popular Firebox X Integrated Security Appliance, the rack-mountable unit runs a hardened Linux OS on Intel-based hardware with a 1.26-GHz processor, 256 MB of RAM, a 40-GB hard drive and six 10/100 Ethernet ports.

For my tests at the University of Florida's Real-World Labs®, I placed the Firebox SSL appliance on a network switch behind a ZyXel ZyWall 70 acting as an external firewall with only TCP Port 443 open to the Internet. Initial setup required configuration of the IP address, netmask, gateway, DNS and SSL certificate. My test network included Windows 2003 Active Directory for user authentication and network share testing.

The initial admin interface, a tabbed Web page, supports basic administrative functions like access to logs, changing the admin password, uploading licenses, starting/stopping the server and launching the Access Gateway Administration Tool, which opens a Citrix Secure Access interface to a Gnome desktop containing the Firebox SSL Admin tool. You can input the IP address and related information here before you place the appliance into production. The Firebox SSL Admin page displays tabs at the top for easy access to detailed management options for configuring authentication sources, network resources, user groups and policies, network settings, and logging.

Two in One

The Firebox SSL provides end users with two VPN modes: Private and Public/Kiosk. Private mode gives them full network access while they're using applications on their desktops or laptops. Public/Kiosk mode uses the Citrix Secure Access Kiosk client to connect to a remote Gnome desktop session with links to the Mozilla Web browser and clients for VNC, telnet, ICA, SSH and Remote Desktop.

I tested each mode by navigating to the HTTPS site accessible on the external IP of the firewall. The Windows version of the VPN client downloads and runs an 800-KB executable through ActiveX when using Internet Explorer. Because I was testing on a non-ActiveX-aware browser like Firefox, I had to download and run the VPN client executable separately, or load a Java applet supporting only Public mode. The executables and applets required only one download, which I completed using a high-speed Internet connection.

Private mode asked me for a user name and password, authenticated my credentials, and provided full access to the network behind the ZyXel firewall. Without difficulty, I browsed the Internet and local intranet, opened network shares on Windows servers, SSH'd into a Linux desktop, and used Outlook connected to a Microsoft Exchange server.

Next, I clicked the Public mode, which prompted the Kiosk client to request my user credentials. A window opened, showing a Gnome desktop with links to some Linux applications. Each app ran as expected, letting me connect to Windows Terminal Services (Remote Desktop), SSH and VNC on a Linux desktop.

The SSL Core appliance supports external authentication through LDAP and RADIUS. I tested LDAP capabilities against our Active Directory domain, which simply required entering the appropriate domain controller IP, Administrator Bind DN and Base DN. Logging out of my current VPN connection and back in with my AD credentials was no different from logging in with a local user account contained on the appliance, and there was no noticeable delay as the SSL Core connected to the AD domain controller for authentication.

Insurance

The Firebox appliance comes with configurable host compliance checks that look for running processes and the existence of files and registry entries. Registry and file checks occur at the beginning of the VPN session, and process checks take place continuously. I created two default checks requiring the existence of c:\temp.txt and the iexplorer.exe process. File checks can require that the file have a time stamp on or after a particular date. Process checks, which are more advanced, may let you include a file checksum for added security.

To test the file-compliance check, I tried connecting to the VPN after deleting the c:\temp.txt file. The client responded, "System Security Policies have not been met." I replaced the text file and could connect again as before. If iexplorer.exe was not running when the connection initiated, I received the same error message. Because process checks are continuous, I tried killing the iexplore.exe process, and my VPN connection was suspended within 10 seconds. When I turned the iexplore.exe process back on, my connection was restored.

Registry checks must be configured manually, so I had to enter the entire registry path for each check I wanted. Unlike most other SSL VPNs that support compliance checking, the WatchGuard product has no preconfigured checks available.

I also found it difficult to troubleshoot compliance checks on the client side, because the error messages are not intuitive for end users. Multiple checks are accomplished by creating Boolean expressions chaining together the names of the checks. If the checks are not named well, the end user will have no idea what "((AV1 | AV2) & RegRDP)" means. I hope the next version of Firebox lets administrators include a description for each check so that when a check fails, the VPN client will respond with the description.

WatchGuard chose to make network troubleshooting as easy as possible for administrators by providing a variety of tools in the Access Gateway Administration remote Gnome interface. The tools include a real-time monitor of logged-in users, a GUI for service scans, port scans, ping scans, traceroute, whois and finger queries, Gnome System Monitor, fnetload and Ethereal.

John H. Sawyer is a network security engineer at the University of Florida and a GIAC Certified Firewall Analyst and Incident Handler. Write to him at [email protected].