WSM User Guide - WatchGuard Technologies
WSM User Guide - WatchGuard Technologies WSM User Guide - WatchGuard Technologies
WatchGuard VPN SolutionsSplit tunneling decreases security, but does increase performance. If you use split tunneling, remoteusers must have personal firewalls for computers behind the VPN endpoint.WatchGuard VPN SolutionsWatchGuard® System Manager includes this software to create tunnels:• Remote User VPN (RUVPN) with PPTP• Mobile User VPN (MUVPN) with IPSec• Branch Office VPN (BOVPN) with IPSec, which uses Policy Manager to manually configure thetunnel settings• Branch Office VPN (BOVPN) with IPSec, which uses WatchGuard System Manager to automaticallyconfigure the tunnel settings.WatchGuard includes different types of encryption for the different types of VPN tunnels you can create.BOVPN allows Data Encryption Service (DES) with a 56-bit encryption key for basic encryption, 112-bitkey for moderate encryption, and a 168-bit encryption key (3DES) for strong encryption. It also allowsthe Advanced Encryption Standard (AES), a block data encryption method, using 128-bit, 192-bit, or256-bit encryption.WatchGuard also has an separate SSL VPN Firebox product line. You can see more information on theWatchGuard public web site at http://www.watchguard.com/products/fb-ssl.asp.Remote User VPN with PPTPRemote User VPN allows remote users or mobile users to connect to the Firebox® network with PPTP.RUVPN with PPTP allows RC4 40-bit or 128-bit keys.The basic WatchGuard System Manager package includes RUVPN with PPTP. It allows 50 users, and alllevels of encryption. For information on how to create RUVPN with PPTP tunnels, see the “ConfiguringRUVPN with PPTP” chapter.Mobile User VPNNoteFor information on how to configure and use MUVPN, see the MUVPN Administrator Guide.Mobile User VPN is an optional software component available for all Firebox models. Remote users aremobile employees who must have corporate network access. MUVPN creates an IPSec tunnel between aremote host that is not secure and your corporate network. Remote users connect to the Internet with astandard Internet dial-up or broadband connection, and then they use the MUVPN software to make asecure connection to the network or networks protected by the Firebox. With MUVPN, only one Fireboxis necessary to create the tunnel.MUVPN uses IPSec with DES or 3DES to encrypt incoming traffic, and MD5 or SHA-1 to authenticate datapackets. You configure a security policy and supply it along with the MUVPN software to each remoteuser. The security policy is an encrypted file with the extension wgx. When the software is installed onthe computers of the remote users, they can safely connect to the corporate network. MUVPN users canchange their security policies, or you can give them read-only security policies.232 WatchGuard System Manager
WatchGuard VPN SolutionsBranch Office Virtual Private Network (BOVPN)Many companies have offices in more than one location. Offices frequently use data from other locations,or have access to shared databases.Because branch offices have sensitive company data, information interchanges must be secure. Whenyou use WatchGuard Branch Office VPN, you can connect two or more locations across the Internetwithout decreasing security. WatchGuard BOVPN supplies an encrypted tunnel between two networksor between a Firebox and an IPSec-compliant device. You can use WatchGuard System Manager or PolicyManager to configure BOVPN.WatchGuard allows certificate-based authentication for BOVPN tunnels. When you use certificate-basedauthentication for BOVPN, the two VPN endpoints must be WatchGuard Fireboxes. You cannot use certificate-basedauthentication for BOVPN with SOHO 6 or Firebox X Edge devices. To use this functionality,you must configure a Management Server and a certificate authority. For more information, see“Configuring Managed VPN Tunnels,” on page 237. For instructions on how to use Policy Manager tomanually configure a BOVPN tunnel, see “Configuring BOVPN with Manual IPSec,” on page 243.BOVPN with Policy ManagerWhen you make a tunnel with Policy Manager, the Firebox uses IPSec to make encrypted tunnels with adifferent IPSec-compliant security device. One of the two endpoints must have a public static IP address.Use BOVPN with Policy Manager if:• You make tunnels between a Firebox and a non-WatchGuard, IPSec-compliant unit.• You give different routing policies to different tunnels.• Not all types of traffic go through the tunnel.BOVPN with IPSec is available with the moderate encryption level of DES (56-bit), or the strongerencryption 3DES (168-bit). BOVPN is also available with AES at the 128-bit, 192-bit, and 256-bit encryptionlevels. AES with 256-bit encryption is the most secure.You can create different VPN tunnels for different types of traffic on your network. For example, you canuse a VPN tunnel with DES encryption for traffic from your sales team. At the same time use a VPN tunnelwith stronger, 3DES encryption for all data from your finance department.BOVPN with Manual IPSecBOVPN with WatchGuard System ManagerWith WatchGuard System Manager, you can make fully authenticated and encrypted IPSec tunnels witha drag-and-drop or menu interface. WatchGuard System Manager uses the Management Server tosafely transmit IPSec VPN configuration information between two Firebox devices. When you use theManagement Server, you set each configuration parameter of the VPN. The Management Server keepsthis information.Use BOVPN with WatchGuard System Manager if:User Guide 233
- Page 200 and 201: Configuring the DNS ProxyAdding a n
- Page 202 and 203: Configuring the TCP Proxy184 WatchG
- Page 204 and 205: Creating and Editing ReportsStartin
- Page 206 and 207: Setting Report Properties“yesterd
- Page 208 and 209: Exporting ReportsSetting report pro
- Page 210 and 211: Using Report FiltersExcludeTo make
- Page 212 and 213: Report Sections and Consolidated Se
- Page 214 and 215: Report Sections and Consolidated Se
- Page 216 and 217: WatchGuard Management Server Passph
- Page 218 and 219: Changing the Management Server Conf
- Page 220 and 221: Configuring the Certificate Authori
- Page 222 and 223: Backing up or Restoring the Managem
- Page 224 and 225: Moving the WatchGuard Management Se
- Page 226 and 227: Managing Devices with the Managemen
- Page 228 and 229: Managing Devices with the Managemen
- Page 230 and 231: Managing Devices with the Managemen
- Page 232 and 233: Adding Devices to the Management Se
- Page 234 and 235: Using the Device Management Page17
- Page 236 and 237: Using the Device Management PageCon
- Page 238 and 239: Monitoring VPNsAdding a Firebox VPN
- Page 240 and 241: PKI in a WatchGuard VPNPKI in a Wat
- Page 242 and 243: Managing the Certificate Authority2
- Page 244 and 245: Tunneling ProtocolsVirtual private
- Page 246 and 247: IP Addressingsecurity of the networ
- Page 248 and 249: Network TopologyThis topology is th
- Page 252 and 253: VPN Scenarios• You make tunnels b
- Page 254 and 255: VPN ScenariosSmall Company Using Ex
- Page 256 and 257: Adding VPN Resourcesapplies a VPN r
- Page 258 and 259: Making Tunnels Between Devices3 To
- Page 260 and 261: Removing Tunnels and Devices2 Expan
- Page 262 and 263: Configuring a GatewayTo configure t
- Page 264 and 265: Making a Manual Tunnel18 When you c
- Page 266 and 267: Making a Manual Tunnel7 From the Ty
- Page 268 and 269: Making a Tunnel Policy2 Make the ch
- Page 270 and 271: Setting up Outgoing Dynamic NAT thr
- Page 272 and 273: Working with Devices on a Managemen
- Page 274 and 275: Working with Devices on a Managemen
- Page 276 and 277: Working with Devices on a Managemen
- Page 278 and 279: Scheduling Firebox X Edge Firmware
- Page 280 and 281: Using the Firebox X Edge Management
- Page 282 and 283: Using the Firebox X Edge Management
- Page 284 and 285: Using the Firebox SOHO 6 Management
- Page 286 and 287: Creating and Applying Edge Configur
- Page 288 and 289: Creating and Applying Edge Configur
- Page 290 and 291: Creating and Applying Edge Configur
- Page 292 and 293: Managing Firebox X Edge Network Set
- Page 294 and 295: Using AliasesNaming aliases on the
- Page 296 and 297: Using Aliases3 Click Aliases.The al
- Page 298 and 299: Configuring WINS and DNS Servers•
<strong>WatchGuard</strong> VPN SolutionsSplit tunneling decreases security, but does increase performance. If you use split tunneling, remoteusers must have personal firewalls for computers behind the VPN endpoint.<strong>WatchGuard</strong> VPN Solutions<strong>WatchGuard</strong>® System Manager includes this software to create tunnels:• Remote <strong>User</strong> VPN (RUVPN) with PPTP• Mobile <strong>User</strong> VPN (MUVPN) with IPSec• Branch Office VPN (BOVPN) with IPSec, which uses Policy Manager to manually configure thetunnel settings• Branch Office VPN (BOVPN) with IPSec, which uses <strong>WatchGuard</strong> System Manager to automaticallyconfigure the tunnel settings.<strong>WatchGuard</strong> includes different types of encryption for the different types of VPN tunnels you can create.BOVPN allows Data Encryption Service (DES) with a 56-bit encryption key for basic encryption, 112-bitkey for moderate encryption, and a 168-bit encryption key (3DES) for strong encryption. It also allowsthe Advanced Encryption Standard (AES), a block data encryption method, using 128-bit, 192-bit, or256-bit encryption.<strong>WatchGuard</strong> also has an separate SSL VPN Firebox product line. You can see more information on the<strong>WatchGuard</strong> public web site at http://www.watchguard.com/products/fb-ssl.asp.Remote <strong>User</strong> VPN with PPTPRemote <strong>User</strong> VPN allows remote users or mobile users to connect to the Firebox® network with PPTP.RUVPN with PPTP allows RC4 40-bit or 128-bit keys.The basic <strong>WatchGuard</strong> System Manager package includes RUVPN with PPTP. It allows 50 users, and alllevels of encryption. For information on how to create RUVPN with PPTP tunnels, see the “ConfiguringRUVPN with PPTP” chapter.Mobile <strong>User</strong> VPNNoteFor information on how to configure and use MUVPN, see the MUVPN Administrator <strong>Guide</strong>.Mobile <strong>User</strong> VPN is an optional software component available for all Firebox models. Remote users aremobile employees who must have corporate network access. MUVPN creates an IPSec tunnel between aremote host that is not secure and your corporate network. Remote users connect to the Internet with astandard Internet dial-up or broadband connection, and then they use the MUVPN software to make asecure connection to the network or networks protected by the Firebox. With MUVPN, only one Fireboxis necessary to create the tunnel.MUVPN uses IPSec with DES or 3DES to encrypt incoming traffic, and MD5 or SHA-1 to authenticate datapackets. You configure a security policy and supply it along with the MUVPN software to each remoteuser. The security policy is an encrypted file with the extension wgx. When the software is installed onthe computers of the remote users, they can safely connect to the corporate network. MUVPN users canchange their security policies, or you can give them read-only security policies.232 <strong>WatchGuard</strong> System Manager