WatchGuard SSL 100
Strengths: Wealth of authentication methods offers tight security for remote access, very good value, endpoint assessment
Weaknesses: Number of authentication methods presents a steep learning curve
Verdict: A highly featured SSL VPN that's priced right for SMBs and tough enough for enterprises
WatchGuard's SSL 100 stands out: not only is it an affordable appliance-based solution for SMBs, but it
also supports more end-user authentication methods than most enterprise-level products.
The SSL 100 is deployed in a DMZ where user requests are routed through to it from the firewall. We had no problems installing the appliance as, on first contact, the web interface offers a wizard-based setup routine.
After activating the appliance with a feature key, we configured the first network port for 'all access' and were ready to go. We chose the single arm mode, but you can use the second Ethernet port and provide access from two separate DMZs.
It is worth familiarising yourself with the various authentication methods, as there are no less than 16. The manual and online help make valiant efforts to explain them all, but it still represents a steep learning curve.
WatchGuard provides five options, including standard web browser authentication using PINs or passwords. SSL challenge-and-response authentication is aimed at the use of tokens for generating passwords. The Mobile Text method calls for an OTP (one time password) to be sent via SMS to a mobile after users have entered their credentials. LDAP, Active Directory (AD), Novell's eDirectory and form-based authentication are among 11 other standard methods supported.
Adding users to the SSL 100 won't take long and we imported 1,000 AD users by providing details of our AD server, browsing the AD root and choosing the appropriate container. Users can also be added manually, but the AD method is easier as it can import specific information about each user. You can request account details such as passwords and mobile phone numbers to be imported.
When it comes to defining network resources to be made available to users, there are two main types to choose from. Put simply, those only accessed using a browser are classed as web resources and those that require a separate application are called tunnel resources. Examples of tunnel resources would be RDP or third party applications for FTP.
Security options are defined using global settings for the number of allowed failed logins, account expiry times and session timeouts. Network resources can be defined to groups of users, where you specify what they are required to do to access them. With directory services you can implement self-service, where users can activate accounts and retrieve passwords.
Setting up resources is simple and WatchGuard gives templates of partially configured standard resources that include mail servers, OWA, Microsoft Terminal Services servers, simple Windows file shares and home directories.
Tunnel resources use WatchGuard's Access Client, which loads a virtual network adapter to provide encrypted access to the main network. The client comes in two flavours with an on-demand version creating secure tunnels dynamically, while an installable version loads with Windows and keeps a tunnel permanently open.
WatchGuard's SSL challenge authentication requires its Mobile ID client installed on the user's laptop - or a mobile phone that can run Java. At the web portal, they enter their user name and are presented with a challenge in the form of a number sequence. They use a keypad to enter their PIN in the Mobile ID client followed by the challenge sequence, when it generates an OTP that is entered in the portal login page.
SSL challenge sounds complicated but we found it easy enough to use. The Mobile ID client keypad is also designed to flummox keyloggers as it always displays the numbers randomly jumbled each time it's used. Web SSL authentication isn't as secure but easier to use, as it doesn't provide the challenge sequence.
Web SSL authentication requires a username and WatchGuard password which must contain at least two numbers. The reason for this is that the portal login screen lets you use the keyboard to enter characters but requires numbers to be entered only using its Java keypad, again to confound keyloggers.
We had no problems defining resources for OWA, RDP, Windows file shares and our SBS workplace. Rules were also used to control access based on AD group membership, authentication method and client IP addresses.
SSO is supported; the appliance can capture, cache and encrypt a user's login details so the next time they access that resource their credentials will be entered. Endpoint security of Windows systems can be assessed by the appliance where it scans for processes such as firewalls and anti-virus, registry values and files. WatchGuard's Abolishment feature can also be used to clear browser caches and histories and delete downloaded files when remote sessions have ended.
WatchGuard's SSL 100 offers a remarkable range of features and easily rivals far more expensive SSL VPN solutions. It will take a while to understand the myriad authentication methods on offer, but SMBs will be hard pushed to find a more secure remote access solution at this price point.