Using the Firebox SSL VPN Gateway

NAT firewalls maintain a table that allows them to route secure packets from the Firebox SSL VPN Gate- way back to the client computer. For circuit-oriented connections, the Firebox SSL VPN Gateway main- tains a port-mapped, reverse NAT translation table. The reverse NAT translation table enables the Firebox SSL VPN Gateway to match connections and send packets back over the tunnel to the client with the correct port numbers so that the packets return to the correct application.

The Firebox SSL VPN Gateway tunnel is established using industry-standard connection establishment techniques such as HTTPS, Proxy HTTPS, and SOCKS. This operation makes the Firebox SSL VPN Gateway firewall friendly and allows remote computers to access private networks from behind other organiza- tions’ firewalls without creating any problems.

For example, the connection can be made through an intermediate proxy, such as an HTTP proxy, by issuing a CONNECT HTTPS command to the intermediate proxy. Any credentials requested by the inter- mediate proxy, are in turn obtained from the remote user (by using single sign-on information or by requesting the information from the remote user) and presented to the intermediate proxy server. When the HTTPS session is established, the payload of the session is encrypted and carries secure pack- ets to the Firebox SSL VPN Gateway.

Terminating the Secure Tunnel and Returning Packets to the Client

The Firebox SSL VPN Gateway terminates the SSL tunnel and accepts any incoming packets destined for the private network. If the packets meet the authorization and access control criteria, the Firebox SSL VPN Gateway regenerates the packet IP headers so that they appear to originate from the Firebox SSL VPN Gateway’s private network IP address range or the client-assigned private IP address. The Firebox SSL VPN Gateway then transmits the packets to the network.

Note

If you run a packet sniffer such as Ethereal on the computer where the Secure Access Client is running, you will see unencrypted traffic that appears to be between the client and the Firebox SSL VPN Gateway. That unencrypted traffic, however, is not over the tunnel between the client and the Firebox SSL VPN Gateway but rather the tunnel to the local applications.

The Secure Access Client maintains two tunnels: an SSL tunnel over which data is sent to the Firebox SSL VPN Gateway (the sniffer also detects this tunnel) and a tunnel between the client and local applications. The encrypted data that arrives over the SSL tunnel is then decrypted before being sent to the local application over the second tunnel. The packet sniffer sees the second tunnel’s traffic, which appears to be from the Firebox SSL VPN Gateway, after the traffic is already decrypted.

When an application client connects to its application server, certain protocols may require that the application server in turn attempt to create a new connection with the client. In this case, the client sends its known local IP address to the server by means of a custom client-server protocol. For these applications, the Secure Access Client provides the local client application a private IP address represen- tation, which the Firebox SSL VPN Gateway uses on the internal network. Many real-time voice applica- tions and FTP use this feature.

Performance and Real-Time Traffic

Real-time applications, such as voice and video, are implemented over UDP, because TCP is not appro- priate for real-time traffic due to the delay introduced by acknowledgements and retransmission of lost packets. It is more important to deliver packets in real time than to ensure that all packets are delivered. However, with any tunneling technology over TCP, such real-time performances cannot be met.

The Firebox SSL VPN Gateway overcomes this issue by routing UDP packets over the secure tunnel as special IP packets that do not require TCP acknowledgements. Even if the packets get lost in the net-

Administration Guide

27

Page 37
Image 37
WatchGuard Technologies SSL VPN manual Performance and Real-Time Traffic

SSL VPN specifications

WatchGuard Technologies offers a robust SSL VPN solution designed for secure remote access to corporate networks. As businesses increasingly rely on a remote workforce, the need for secure and reliable connectivity has never been more critical. WatchGuard's SSL VPN features advanced security technologies that ensure data integrity and confidentiality while enabling seamless access to applications and resources.

One of the standout features of WatchGuard's SSL VPN is its user-friendly interface. The solution is designed to simplify the user experience, enabling employees to connect to the VPN with minimal complexity. With a straightforward setup process, users can quickly establish secure connections from various devices, including laptops, smartphones, and tablets. This flexibility supports a diverse workforce, allowing employees to work from different locations without compromising security.

In addition to its ease of use, WatchGuard's SSL VPN is built on robust security technologies. It employs end-to-end encryption to safeguard data in transit, ensuring that only authorized users can access sensitive information. By utilizing SSL (Secure Sockets Layer) protocols, the VPN creates a secure tunnel between the user’s device and the corporate network, protecting against potential threats such as eavesdropping or man-in-the-middle attacks.

Moreover, WatchGuard Technologies includes multiple authentication options, adding another layer of security. The solution supports multi-factor authentication (MFA), requiring users to provide additional verification beyond just a password. This could involve mobile device verification or biometric authentication, significantly reducing the risk of unauthorized access.

Another key characteristic of WatchGuard’s SSL VPN is its integration with other WatchGuard security solutions. Businesses can benefit from a comprehensive security posture by leveraging firewalls and intrusion prevention systems along with the SSL VPN. This holistic approach ensures that remote connections are continually monitored and secured against evolving cyber threats.

Scalability is also a crucial aspect of WatchGuard's SSL VPN, accommodating growing organizations with changing needs. The solution can easily scale to support an increasing number of remote users without compromising performance. With robust performance metrics, businesses can ensure that even during peak usage times, the VPN remains responsive and reliable.

In summary, WatchGuard Technologies' SSL VPN solution combines ease of use, robust security, flexible authentication, and scalability. These features make it an ideal choice for organizations seeking to provide secure remote access to their employees while maintaining a strong defense against cyber threats. With WatchGuard, businesses can confidently navigate the challenges of a digital landscape, ensuring their network remains secure as they embrace remote work.