WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
Tunneling ProtocolsVirtual private networks (VPNs) use encryption technology to decrease security risks, and to secure privateinformation on the public Internet. A virtual private network lets data flow safely across the Internetbetween two networks. VPN tunnels can secure connections between a host and a network.The networks and hosts at the endpoints of a VPN can be corporate headquarters, branch offices, andremote users.VPN tunnels use authentication, which examines the sender and the recipient. If the authenticationinformation is correct, the data is decrypted. Only the sender and the recipient of the message can readit clearly.For more information on VPN technology, see the online information at:http://www.watchguard.com/supportThe WatchGuard® Support web site contains links to documentation, basic FAQs, advanced FAQs, andthe WatchGuard User Forum. You must log in to the Technical Support web site to use some features.Tunneling ProtocolsTunnels allow users to send data in secure packets across a network that is not secure, usually the Internet.A tunnel is a group of security protocols, encryption algorithms, and rules. The tunnel uses thisinformation to send secure traffic from one endpoint to the other. A tunnel allows users to connect toresources and computers from other networks.Tunneling protocols supply the infrastructure and set how the data transmission on the tunnel occurs.The two tunneling protocols that WatchGuard® System Manager supports are Internet Protocol Security(IPSec) and Point-to-Point-Tunneling Protocol (PPTP). WatchGuard also supports SSL VPN with its Watch-Guard SSL VPN Firebox product line.IPSecYou use the IPSec protocol to examine IP packets and make sure they are authenticated. IPSec includessecurity features including very strong authentication to protect the privacy of the information that youtransmit on the Internet. IPSec is a standard that works with many systems from different manufacturers.IPSec includes two protocols that protect data integrity and confidentiality. The AH (AuthenticationHeader) protocol is the solution for data integrity. The ESP (Encapsulated Security Payload) protocolgives data integrity and confidentiality.PPTPPoint to Point Tunneling Protocol (PPTP) is a standard for VPN security that can be used with many systemsfrom different manufacturers. PPTP allows tunnels to corporate networks and to other PPTPenabledsystems. PPTP is not as secure as IPSec and cannot secure two networks. PPTP can only secureone IP address with one other IP address or with a network. PPTP supplies an inexpensive tunnel alternativefor a corporate network that is easier to use than IPSec.EncryptionOn a network that is not secure, hackers can find transmitted packets very easily. VPN tunnels useencryption to keep this data secure.226 WatchGuard System Manager
Tunneling ProtocolsThe length of the encryption key, together with the algorithm used, set the encryption strength for theVPN. A longer key gives better encryption and more security. The level of encryption is set to give theperformance and security that is necessary for the organization. Stronger encryption usually gives ahigher level of security, but can have a negative effect on performance.Basic encryption allows sufficient security with good throughput for tunnels that do not transmit sensitivedata. For administrative connections and for connections where privacy is very important, we recommendstrong encryption.The host or the IPSec device that sends a packet through the tunnel encrypts the packet. The recipientat the other end of the tunnel decrypts the packet. The two endpoints must agree on all the tunnelparameters. This includes the encryption and authentication algorithms, the hosts or networks allowedto send data across the tunnel, the time period for calculating a new key, and other parameters.Selecting an encryption and data integrity methodThink of security and performance when you select the encryption and data integrity algorithms to use.We recommend Advanced Encryption Standard (AES), the strongest of the encryption types, for sensitivedata. Fireware® uses AES 256 as the default encryption algorithm for IPSec.Data integrity makes sure that the data a VPN endpoint receives is not changed as it is sent. We give supportto two types of data authentication. The first type is 128-bit Message Digest 5 (MD5-HMAC). Thesecond type is 160-bit Secure Hash Algorithm (SHA1-HMAC).AuthenticationAn important part of security for a VPN is to make sure that the sender and recipient are authenticated.There are two method: passphrase authentication (also called a shared secret) and digital certificates. Ashared secret is a passphrase that is the same for the two ends of the tunnel.Digital certificates use public key cryptography to identify and authenticate the end gateways. You canuse certificates for authentication for any VPN tunnel you create with your WatchGuard ManagementServer. For more information on the certificates, see the “Managing Certificates and the CertificateAuthority” chapter.Extended authenticationAuthentication for a remote user can occur through a database that is kept on the Firebox®, or throughan external authentication server. An example of an external authentication server is the RemoteAuthentication Dial-In User Service (RADIUS). An authentication server is a safe third party that authenticatesother systems on a network. With Mobile User VPN (MUVPN), which uses the IPSec tunneling protocol,the remote user must type a user name and password each time a VPN is started.Selecting an authentication methodA primary part of a VPN is its method of user authentication. When you use shared secrets safely, youmust make sure that you:• Make users select strong passwords.• Change passwords frequently.When you use Remote User VPN (RUVPN), which uses the PPTP tunneling protocol, or MUVPN, it is veryimportant to use strong passwords. When you put the security of VPN endpoints at risk, you can put theUser Guide 227
- Page 194 and 195: Configuring the HTTP ProxyBrowsers
- Page 196 and 197: Configuring the HTTP ProxyThis rule
- Page 198 and 199: Configuring the DNS ProxyConfigurin
- Page 200 and 201: Configuring the DNS ProxyAdding a n
- Page 202 and 203: Configuring the TCP Proxy184 WatchG
- Page 204 and 205: Creating and Editing ReportsStartin
- Page 206 and 207: Setting Report Properties“yesterd
- Page 208 and 209: Exporting ReportsSetting report pro
- Page 210 and 211: Using Report FiltersExcludeTo make
- Page 212 and 213: Report Sections and Consolidated Se
- Page 214 and 215: Report Sections and Consolidated Se
- Page 216 and 217: WatchGuard Management Server Passph
- Page 218 and 219: Changing the Management Server Conf
- Page 220 and 221: Configuring the Certificate Authori
- Page 222 and 223: Backing up or Restoring the Managem
- Page 224 and 225: Moving the WatchGuard Management Se
- Page 226 and 227: Managing Devices with the Managemen
- Page 228 and 229: Managing Devices with the Managemen
- Page 230 and 231: Managing Devices with the Managemen
- Page 232 and 233: Adding Devices to the Management Se
- Page 234 and 235: Using the Device Management Page17
- Page 236 and 237: Using the Device Management PageCon
- Page 238 and 239: Monitoring VPNsAdding a Firebox VPN
- Page 240 and 241: PKI in a WatchGuard VPNPKI in a Wat
- Page 242 and 243: Managing the Certificate Authority2
- Page 246 and 247: IP Addressingsecurity of the networ
- Page 248 and 249: Network TopologyThis topology is th
- Page 250 and 251: WatchGuard VPN SolutionsSplit tunne
- Page 252 and 253: VPN Scenarios• You make tunnels b
- Page 254 and 255: VPN ScenariosSmall Company Using Ex
- Page 256 and 257: Adding VPN Resourcesapplies a VPN r
- Page 258 and 259: Making Tunnels Between Devices3 To
- Page 260 and 261: Removing Tunnels and Devices2 Expan
- Page 262 and 263: Configuring a GatewayTo configure t
- Page 264 and 265: Making a Manual Tunnel18 When you c
- Page 266 and 267: Making a Manual Tunnel7 From the Ty
- Page 268 and 269: Making a Tunnel Policy2 Make the ch
- Page 270 and 271: Setting up Outgoing Dynamic NAT thr
- Page 272 and 273: Working with Devices on a Managemen
- Page 274 and 275: Working with Devices on a Managemen
- Page 276 and 277: Working with Devices on a Managemen
- Page 278 and 279: Scheduling Firebox X Edge Firmware
- Page 280 and 281: Using the Firebox X Edge Management
- Page 282 and 283: Using the Firebox X Edge Management
- Page 284 and 285: Using the Firebox SOHO 6 Management
- Page 286 and 287: Creating and Applying Edge Configur
- Page 288 and 289: Creating and Applying Edge Configur
- Page 290 and 291: Creating and Applying Edge Configur
- Page 292 and 293: Managing Firebox X Edge Network Set
Tunneling ProtocolsVirtual private networks (VPNs) use encryption technology to decrease security risks, and to secure privateinformation on the public Internet. A virtual private network lets data flow safely across the Internetbetween two networks. VPN tunnels can secure connections between a host and a network.The networks and hosts at the endpoints of a VPN can be corporate headquarters, branch offices, andremote users.VPN tunnels use authentication, which examines the sender and the recipient. If the authenticationinformation is correct, the data is decrypted. Only the sender and the recipient of the message can readit clearly.For more information on VPN technology, see the online information at:http://www.watchguard.com/supportThe <strong>WatchGuard</strong>® Support web site contains links to documentation, basic FAQs, advanced FAQs, andthe <strong>WatchGuard</strong> <strong>User</strong> Forum. You must log in to the Technical Support web site to use some features.Tunneling ProtocolsTunnels allow users to send data in secure packets across a network that is not secure, usually the Internet.A tunnel is a group of security protocols, encryption algorithms, and rules. The tunnel uses thisinformation to send secure traffic from one endpoint to the other. A tunnel allows users to connect toresources and computers from other networks.Tunneling protocols supply the infrastructure and set how the data transmission on the tunnel occurs.The two tunneling protocols that <strong>WatchGuard</strong>® System Manager supports are Internet Protocol Security(IPSec) and Point-to-Point-Tunneling Protocol (PPTP). <strong>WatchGuard</strong> also supports SSL VPN with its Watch-Guard SSL VPN Firebox product line.IPSecYou use the IPSec protocol to examine IP packets and make sure they are authenticated. IPSec includessecurity features including very strong authentication to protect the privacy of the information that youtransmit on the Internet. IPSec is a standard that works with many systems from different manufacturers.IPSec includes two protocols that protect data integrity and confidentiality. The AH (AuthenticationHeader) protocol is the solution for data integrity. The ESP (Encapsulated Security Payload) protocolgives data integrity and confidentiality.PPTPPoint to Point Tunneling Protocol (PPTP) is a standard for VPN security that can be used with many systemsfrom different manufacturers. PPTP allows tunnels to corporate networks and to other PPTPenabledsystems. PPTP is not as secure as IPSec and cannot secure two networks. PPTP can only secureone IP address with one other IP address or with a network. PPTP supplies an inexpensive tunnel alternativefor a corporate network that is easier to use than IPSec.EncryptionOn a network that is not secure, hackers can find transmitted packets very easily. VPN tunnels useencryption to keep this data secure.226 <strong>WatchGuard</strong> System Manager