Watchguard Technologies Inc.s Firebox SSL Core with Citrix Systems Inc.s Citrix Secure Access is a good Secure Sockets Layer VPN solution for small and midsize businesses that want ease of use for remote users who need access to secure network resources.
Click here to read the full review of Watchguards Firebox SSL Core.
2
Watchguard Technologies Inc.s Firebox SSL Core with Citrix Systems Inc.s Citrix Secure Access is a good Secure Sockets Layer VPN solution for small and midsize businesses that want ease of use for remote users who need access to secure network resources.
However, the WatchGuard SSL VPN is a little like a “turducken”—a turkey stuffed with a duck stuffed with a chicken, all roasted together. Not only does WatchGuard provide the hardware and Citrix most of the software, but eWEEK Labs tests revealed that software Citrix acquired from Net6 Inc. is used throughout the Firebox SSL Core appliance. The good news is that all this hardware and software has been expertly assembled, and we had no trouble getting the various components to perform.
Firebox SSL Core with Citrix Secure Access is a 1U (1.75-inch) rack-mountable appliance that costs $2,790, including a five-tunnel license pack. The device, which started shipping in August, can be licensed for as many as 205 tunnels for $22,590.
The Firebox SSL Core with Citrix Secure Access appliance is designed to support fewer tunnels than Citrix offerings targeted for large-scale enterprise use. The Firebox appliance competes with SSL VPNs including Aventail Corp.s EX-750 and Nokias Nokia 60s SSL VPN.
The WatchGuard SSL VPN is less expensive than its rivals to get up and running. However, the Firebox SSL Core cannot be managed with the WatchGuard Firebox System Manager, used for keeping tabs on WatchGuard firewalls, so the bigger administration picture may be more expensive.
Watchguard uses Citrix SSL VPN technology to provide the lightweight client and tunneling technology between end-user systems.
The WatchGuard solution supports a variety of client operating systems, including all flavors of Microsoft Corp.s Windows 2000 and Windows XP, as well as Linux platforms with at least the 2.4 kernel. The Firebox SSL Core appliance also includes a client that supports Apple Computer Inc.s Mac OS X systems running Java Virtual Machine Version 1.4.2 or higher.
During eWEEK Labs tests, the appliance was relatively simple to install and manage, especially compared with IP Security-based VPN tools. We installed the Firebox SSL Core behind a WatchGuard Firebox X1000 as a peer on our protected network. (While the Firebox SSL Core looks exactly like WatchGuards firewall products, it is not an in-line device as they are.)
Installing and integrating the appliance with our existing security infrastructure took a matter of hours. We used Funk Software Inc.s Steel-Belted Radius for user authorization. As with any SSL VPN, we opened port 443 through the firewall to enable a connection to our Firebox SSL Core. When a client first connects, a stub of the SSL VPN client is installed on the end-user system. Users then can simply double-click on the Firebox SSL Core icon to initiate a connection.
The Firebox SSL Cores management interface is oriented to large-scale networks but is workable for a smaller-scale environment.
The help screens that are displayed at all times in the Web-based remote administrative terminal were copious and useful. We also used the customizable portal pages to create welcome pages specific to different groups of users. For example, we could configure the system so that a particular group of users got access to the e-mail system but not to the accounting system. The ease of administration provided by the customized portals was a nice touch.
We configured the Firebox SSL Core appliance to check client system files, registry entries and running processes to ensure that anti-virus and personal firewall software were installed on client systems before a VPN tunnel could be established. The registry and file checks happen only at log-in time, but the Firebox SSL Core client software continually checks processes on the client systems.
We also were able to specify a split tunnel configuration, whereby traffic destined for the protected network was carried through the Firebox SSL Core tunnel while network traffic for the Internet, such as Web browsing, was not. All changes we made to configurations were immediately made available to connected clients.
The Firebox SSL Core appliance also has some features that a small subset of users will likely find useful, including Kiosk mode operation, which allows authorized end-user systems using either Internet Explorer or the Mozilla Foundations Firefox to make a clientless connection to network resources.
We used the Kiosk mode to make a VNC (virtual network computing)-like connection to access shared network drives on our test network as well as computers running Windows Terminal Services. Kiosk mode is limited to just a few services, but it worked well in tests.
Next page: Evaluation Shortlist: Related Products.
Page 3
Evaluation Shortlist
Aventails EX-750 Small-scale appliance integrates with enterprise-class Aventail products and can be managed with a single console (www.aventail.com)
Nokias Nokia 60s SSL VPN Remote access appliance supports a wide range of clients (www.nokia.com)
Symantec Corp.s Clientless VPN Gateway 4400 Series Provides SSL VPN access without requiring client software installation (www.symantec.com)
Labs Technical Director Cameron Sturdevant can be reached at cameron_sturdevant@ziffdavis.com.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.