Seeking clarity on FireCluster management as well as the varieties of VPNs

Hello WatchGuard and friends,

My company recently had an M370 installed by our MSP, as I'm still in my first year working in networking at an SMB. My director and I basically let our consultant replace our ancient Cisco ISR and took a backseat to that process.

So he did the physical installation and replaced our Cisco AnyConnect VPN that remote employees used with the WatchGuard SSLVPN, which overall went very smooth, but he left many of the subscription features untouched. This I guess could be question 1:

Since I've read that IKEv2 is preferable in terms of speed and security -- I understand that we're using SSL to achieve a split-tunnel VPN that my co-workers are all used to, but I've just been reading about how it's possible to achieve a similar situation by use of reverse proxies in the configuration of Access Portal.

Then I read that M3xx devices cannot run this feature -- but that WatchGuard Cloud could -- my question is: is Access Portal accessible to perform these feats (as vaguely as I worded it -- I haven't quite gotten much of the full experience yet); but does the installation of WG Cloud give an M370 TSS setup more abilities, like the one I just mentioned above?

The consultant who installed the M370 said we didn't really need WatchGuard Cloud, or Dimension actually, because all the features are accessible from both the Server Manager as well as the web UI. Is this true? I was looking forward to trying out Dimension if only for the experience, so I'm wondering if you think this would be a worthwhile endeavor.

So right, first: does the WatchGuard Cloud, Server Manager, and Dimension all cover the same features and allow for the same administration?

~~

Also -- when considering the MFA (we'll be implementing AuthPoint) I'm also looking at a hard token to achieve SSO capabilities for the sake of our workers -- and after looking at a few more articles it seems like this could be a possible outcome with AuthPoint MFA (properly configured) alone; earlier I had been considering Okta or Yubico to solve this issue for me but the spend would be tough to rationalize.

So second: is the M370 + TSS capable of creating an MFA/SSO that can achieve (split-tunnel) remote VPN access, Windows login, and application credential management?

Thanks much!

Comments

  • My primary comment is about split tunnel VPNs.
    This is a potential significant security risk, and you should seriously consider not using split tunneling client VPNs.
    You can find many discussions on the security issues related to this.
    Here is one:

    VPN Split tunnel pros and cons (especially for high bandwidth applications)
    https://community.isc2.org/t5/Industry-News/VPN-Split-tunnel-pros-and-cons-especially-for-high-bandwidth/td-p/5471

    Next, does your config use any of the proxy policies?
    FTP, SMTP, HTTP, HTTPS are significant ones.
    Implementing each requires some effort and periodic adjustment, but provide substantial security enhancement compared to using packet filters.

    IKEv2 and IPSec are much faster than SSLVPN - higher throughput. They use hardware based encryption in the firewall hardware, whereas SSLVPN does not.

    Dimension is a logging & reporting solution implemented on a VM. There is a Watchguard cloud version of this, but the historical records are currently maxed at 30 days (for free), and the reporting etc. is not currently as full functioned as Dimension.
    There are Windows server based logging and reporting functions (WSM Server), but those seem to be no longer being enhanced - Dimension and the WG cloud logging & reporting seem to be the future.
    I run Dimension and no longer use WSM Server logging & reporting, which I did use many years ago.
    While I have access to the logging/reporting in WG cloud, I rarely go there since I use Dimension.

    I will let others answer your other questions.

  • Regarding the VPN (any type) and the Access Portal, it does seem that the Access Portal MAY be able to replace the need for a VPN. It's really going to depend on the Information Resources that the VPN is providing connectivity to (as the Access Portal OR Reverse Proxy) will need to take on that capability.

  • WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

  • @BrianSteingraber said:
    WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

    But from what I understand WG Cloud is required for proper use of Threat Detection & Response, APT Blocker and the Sandbox feature for opening suspicious files found by the host sensors, so I may be setting up each, for separate reasons. I appreciate your reply though, thanks much!

  • Log into the WatchGuard support portal.
    Then select My Watchguard.
    You will find a number of options, including:
    WatchGuard Cloud
    Manage TDR

    WatchGuard Cloud includes Authpoint and the Dimension like logging & reporting
    "WatchGuard Cloud" is not necessarily an all inclusive location for "cloud" based WG offerings

  • @photofalling said:

    @BrianSteingraber said:
    WatchGuard Cloud is NOT going to run your Access Portal. The WatchGuard Cloud is alternative solution to Dimension (for Reporting and Logging).

    But from what I understand WG Cloud is required for proper use of Threat Detection & Response, APT Blocker and the Sandbox feature for opening suspicious files found by the host sensors, so I may be setting up each, for separate reasons. I appreciate your reply though, thanks much!

    What Bruce said. Watchguard Cloud is a separate item/solution to TDR, APT Blocker, Dimension, Etc. It's not needed for any of those things.

  • Watchguard cloud is likely of limited use if this is a single site. The cloud service is good for central configuration of multiple sites. It lets you manage watchguard devices installed remotely and provide central logging and configuration command and control. If you like directly connecting to the webUI of the device to configure it then it is fine. If you like a windows based GUI and install the WSM components on a local command and control workstation then you do not need/use the cloud control.

    Subscriptions for advanced services like threat detection are separate and not dependent on where you choose to configure/control your device. If you choose to use Watchguard cloud, directly configure via WebUI or local hosting of WSM windows server your subscription service that utilizes a cloud component for updates/processing needs are not dependent on one or the other control method. Yes they utilize some levels of cloud processing that you are paying for as part of your subscriptions but it's self contained to that subscription feature.

    The access portal is not a generic VPN substitute. But if the only reason you are using a VPN is to access some specific internal resource it is possible that exposing that through the access portal may be a reasonable alternative to installing VPN clients on endpoints. You are using the firewall as an application proxy just for those few services. If the protocols that access portal exposes are not sufficient for your application then it may not work. In almost all cases I have used access portal it's a supplement to the VPN client in most cases. It's a bit clunky to use at times. SSH is a web client version, so you cannot use a regular ssh client or do ssh port forwarding. Web interfaces have to be setup as reverse proxy so it breaks when the web applications tries to push the client to a hostname that is only valid on the internal network. Terminal services is again through browser window, not full remote desktop client.

    For the question of SSL vs IKEv2 vpn it often comes down to how well the client behaves more than how it performs. Often SSL just works better in harsh environments like hotels, airport, public wifi etc where IPSec type VPN connections are often blocked. If peak bandwidth is a problem and the remote client is on a good connection and often connecting from the same place (working from home) you likely have less concerns on being blocked.
    So my generic advice is for clients who frequently are mobile in many different unknown locations I start with the SSL VPN as preferred. If it's a work from home situation where they always connect from the same location then IPSec client is preferred. If it's a bit of both you can set them up with more than one method.

    For multi factor tokens that one gets pretty hard to give generic answers on. Most environments will need custom recommendations based on how things like internal and external resources are currently setup and how they can be modified to work with the different requirements of the MFA system. You sorta have to dig into the deployment guides and evaluate where it would connect in your specific case and where it might be missing a connection. Have not found a one size fits all solution to this though this is a rapidly improving area of technology.

Sign In to comment.