Subscribe Contact Us About Us Advertising Editorial Calendar SC US SC Aus/NZ

Home
News
Events
Blog
SC Awards
- Previous Awards
Products
- Reviews
- Group Tests
SC Insight
Jobs
Archive
Subs
- News by Email
- Subscribe to SC Magazine
Whitepapers

Text "follow scmagazineuk" to 86444
@scmagazineuk
LinkedIn

RSS | Log in | Register

WatchGuard SSL 100

Dave Mitchell

12/15/2009

Print
Email
Reprint
Text: A | A | A

Product Information

Vendor:WatchGuard Technologies

Product: WatchGuard SSL 100

http://www.watchguard.com

Price:£1,375 for 25 licences, £330 for one year Live Security (all exc VAT)

Product Rating

Features
Ease of Use
Performance
Documentation
Support
Value for Money
Overall Rating

For:Wealth of authentication methods offers tight security for remote access, very good value, endpoint assessment

Against:Number of authentication methods presents a steep learning curve

Verdict:A highly featured SSL VPN that's priced right for SMBs and tough enough for enterprises

Reviews For This Vendor

WatchGuard's SSL 100 stands out: not only is it an affordable appliance-based solution for SMBs, but it
also supports more end-user authentication methods than most enterprise-level products.

The SSL 100 is deployed in a DMZ where user requests are routed through to it from the firewall. We had no problems installing the appliance as, on first contact, the web interface offers a wizard-based setup routine.

After activating the appliance with a feature key, we configured the first network port for 'all access' and were ready to go. We chose the single arm mode, but you can use the second Ethernet port and provide access from two separate DMZs.

It is worth familiarising yourself with the various authentication methods, as there are no less than 16. The manual and online help make valiant efforts to explain them all, but it still represents a steep learning curve.

WatchGuard provides five options, including standard web browser authentication using PINs or passwords. SSL challenge-and-response authentication is aimed at the use of tokens for generating passwords. The Mobile Text method calls for an OTP (one time password) to be sent via SMS to a mobile after users have entered their credentials. LDAP, Active Directory (AD), Novell's eDirectory and form-based authentication are among 11 other standard methods supported.

Adding users to the SSL 100 won't take long and we imported 1,000 AD users by providing details of our AD server, browsing the AD root and choosing the appropriate container. Users can also be added manually, but the AD method is easier as it can import specific information about each user. You can request account details such as passwords and mobile phone numbers to be imported.

When it comes to defining network resources to be made available to users, there are two main types to choose from. Put simply, those only accessed using a browser are classed as web resources and those that require a separate application are called tunnel resources. Examples of tunnel resources would be RDP or third party applications for FTP.

Security options are defined using global settings for the number of allowed failed logins, account expiry times and session timeouts. Network resources can be defined to groups of users, where you specify what they are required to do to access them. With directory services you can implement self-service, where users can activate accounts and retrieve passwords.

Setting up resources is simple and WatchGuard gives templates of partially configured standard resources that include mail servers, OWA, Microsoft Terminal Services servers, simple Windows file shares and home directories.

Tunnel resources use WatchGuard's Access Client, which loads a virtual network adapter to provide encrypted access to the main network. The client comes in two flavours with an on-demand version creating secure tunnels dynamically, while an installable version loads with Windows and keeps a tunnel permanently open.

WatchGuard's SSL challenge authentication requires its Mobile ID client installed on the user's laptop - or a mobile phone that can run Java. At the web portal, they enter their user name and are presented with a challenge in the form of a number sequence. They use a keypad to enter their PIN in the Mobile ID client followed by the challenge sequence, when it generates an OTP that is entered in the portal login page.

SSL challenge sounds complicated but we found it easy enough to use. The Mobile ID client keypad is also designed to flummox keyloggers as it always displays the numbers randomly jumbled each time it's used. Web SSL authentication isn't as secure but easier to use, as it doesn't provide the challenge sequence.

Web SSL authentication requires a username and WatchGuard password which must contain at least two numbers. The reason for this is that the portal login screen lets you use the keyboard to enter characters but requires numbers to be entered only using its Java keypad, again to confound keyloggers.

We had no problems defining resources for OWA, RDP, Windows file shares and our SBS workplace. Rules were also used to control access based on AD group membership, authentication method and client IP addresses.

SSO is supported; the appliance can capture, cache and encrypt a user's login details so the next time they access that resource their credentials will be entered. Endpoint security of Windows systems can be assessed by the appliance where it scans for processes such as firewalls and anti-virus, registry values and files. WatchGuard's Abolishment feature can also be used to clear browser caches and histories and delete downloaded files when remote sessions have ended.

WatchGuard's SSL 100 offers a remarkable range of features and easily rivals far more expensive SSL VPN solutions. It will take a while to understand the myriad authentication methods on offer, but SMBs will be hard pushed to find a more secure remote access solution at this price point.
Dave Mitchell

SC Featured Webcast

Employee file sharing: the good, the bad and the ugly

Streaming live on 4th June 2013 at 3pm GMT

This new webcast is set to unveil the full results from the latest data security survey, where it was revealed that 50 per cent of the information security professionals asked said that they had 'no real visibility' of how data is being sent within and outside the company. Guest speakers include the director of information security from Monster.co.uk and the ISO from Atos. To secure your free place, please click here.

SC Webcasts

Security beyond the (fire)wall

Streaming live on 6^th June at 3pm BST

This webcast addresses the technological challenges of maintaining full control of your most sensitive information - even once it goes beyond the firewall - while maintaining the freedom and flexibility necessary to allow your staff and other stakeholders to work as efficiently as possible. Tune in for free to hear from our regular and popular guest speaker, Bola Rotibi from (ISC)2 application security advisory board. To secure your place, please click here.

2013's invisible network threats: Identify and respond

Streaming live on 11^th June at 3pm BST

In a recent SC survey, when asked 'Do you think your current network is secure?' 43 per cent of IS professionals said they were not sure. Technology developments such as multi-point cloud solutions, consumerisation, BYOD uptake and even Windows 8 are a major headache in network security for IT leaders. So what can be done? SC's latest webcast shares practical advice from industry experts. To secure your free place, please click here.

SC Whitepapers

Java security: Balancing existing testing platforms with open source solutions

In a rush to get new products out to market quickly, companies expose themselves to the risk of software failure. Java developers often turn to open source solutions to help protect themselves from risk. This new whitepaper explains how you can use your existing testing platforms alongside open source solutions to fix those issues related to both security and quality within your Java code. To download the paper for free, please click here.

DDoS and downtime: Considerations for risk management

The purpose of this paper is to start a conversation about the often overlooked risk of downtime caused by DDoS attacks and to provide sufficient content for risk managers to account for the DDoS threat as they evaluate risks to their day-to-day operations and long-term mission. To read the paper in full, please download it for free here.

Ponemon 2012 Global Encryption Trends Study

In Ponemon's recent Global Encryption Study, the organisation surveyed 4,205 information security professionals across seven countries to examine how encryption has evolved over the last eight years. The study focused on data protection priorities, budgeted expenditures for encryption and the types of encryption technologies involved, with the findings revealing some interesting insight into the relationship between encryption and its impact on the security position of organisations. To read the full report for free, please download it here.

Advanced spear phishing: The rise of industrial phishing attacks

With phishing still the most common form of attack, hackers are now engaging in industrial-scale phishing attacks that leverage sophisticated customisation and delivery techniques. Borrowing tactics from cloud computing and database marketing, this study looks at longline phishing - an advanced form of spear phishing, which has higher clickthrough and penetration rates than traditional attacks, potentially causing a higher risk to IT security departments across the world. To read the study for free, please click here.

Most Popular
Most Emailed
Most Recent

RSS

This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.

Your use of this website constitutes acceptance of Haymarket Media's Privacy Policy and Terms & Conditions