Republished with permission from WatchGuard Technologies, Inc.

WatchGuard


Navigating WatchGuard's New MUVPN Client

by David M. Piscitello, President, Core Competence, Inc.

With WatchGuard Firebox System (WFS) version 5.0, WatchGuard released an entirely new mobile user VPN client, a customized version of the widely used and broadly compatible SoftRemote™ VPN client from SafeNet. This article gives you some background on, and a quick tour of, the new MUVPN client.

What's So Cool About SoftRemote™

I live in NASCAR country. Motor-heads here crack open the hood of a new car, then jabber about compression ratios, horsepower, overhead cams, gear ratios, and the like. I suppose networking software junkies obsess over features, too. New software? Kewl!

SoftRemote™ is chock full of useful features for administrators and end users. It runs on every Win32 platform (and will soon on the Palm OS). It supports virtually every IKE and IPSec security option. SafeNet has done a commendable job testing the software on every OS platform, against a long list of VPN products, so it's very stable. It's also the most widely used VPN client in the industry. This "ubiquity" is especially important if your work force engages in business-to-business activities over IPSec VPNs run by organizations other than your own, operating equipment other than Fireboxes and SOHOs. It's important to you as well: who needs the headache of supporting two VPN software packages, much less the helpdesk horror of teaching users how to use both? I've used a SoftRemote client since WFS version 4.6 because (a) it worked fine with Firebox MUVPN, and (b) I use so many IPSec products I can't afford down time from wrestling with software and adapters that won't play nice together.

SoftRemote also works well with all the personal firewall software I've used. If you haven't insisted on personal firewalls for remote access clients until now, I recommend when you download the MUVPN client from WatchGuard's site, you choose the version that comes bundled with ZoneAlarm from Zone Labs.

The new client has an outstanding logging facility and a connection monitor, invaluable tools for debugging IPSec configuration problems.

Breathe Easy

I can almost hear the skeptical network administrators ask, "New software? Ugh! How painful will this be to incorporate into my network?" After more than a year deploying SoftRemote at various locations, my experience is that it can be nearly antacid and pain reliever free.

WatchGuard's version feels familiar. You'll still use the Mobile User VPN Wizard from the Policy Manager to create new IPSec mobile users. How you configure Allowed Resources, Virtual IP address rules, and tunnel (IPSec) policy is unchanged. You can continue to use the same method to export the mobile user configuration files (.EXP and .WGX) and to distribute configuration files, client software and documentation to your mobile work force. You'll find that the information about planning, deploying, and debugging MUVPN from my earlier columns still applies.

The biggest changes (really, improvements) are on the client. I've had few problems installing the new MUVPN client on several desktops and laptops, including a laptop that has USB, PC card, and Sony iLink™ network adapters. (I mention this because my painful past experience was that the likelihood of a successful IPSec client installation seemed to decrease commensurately with each adapter previously installed.)

The Tour

The SafeNet MUVPN client has many more bells and whistles than its predecessor. You should plan to introduce at least the following tools and features to your MUVPN users. These are accessed via the System Tray or the Start Menu:

  • The Security Policy Editor is the configuration utility for the MUVPN client. Users will see a familiar NT Explorer-style representation of the Network Security Policy. They can import and export Security Policies from this application. While the Security Policy you configure at the Firebox will be installed automatically in most cases, users should be familiar with this menu item. They may find it necessary to import a new Security Policy Database file (*.spd) into their MUVPN client, or to export the current configuration.
  • The Log Viewer provides a detailed analysis of IKE and IPSec security association processing. The message format resembles Firebox logging and what administrators see via the Control Center's Traffic Monitor Tool. Your savvier users may find this helpful enough to diagnose certain connection problems they might have with VPNs; others will be delighted to see they can save or print the log, and send it to you.
  • The Connection Monitor has several features. The MUVPN client records all the pertinent information for each VPN connection in a monitoring window, counting all IPSec packet dispositions -- dropped, bypassed (Non-secured) and protected (Secured) -- separately. Given some basic instructions, users can eyeball these counters to determine whether your organization's security policy is being enforced from user to Firebox. For example, suppose your policy forces all packets from remote users to be protected by IPSec back to your Firebox, and only then allows them out to the Internet. If the user sees no increments to the Secured Packets counter, something's misconfigured! Chances are, this is Bob's laptop; unfortunately, the MUVPN client's poweruser-oriented UI will inevitably tempt the Bobs in your organization to (ahem) improve Security Policy. We can only hope that "dealing with Bobs" features will be incorporated in future releases.

Features to toy with…

You might find the MUVPN client's Certificate Manager helpful in pulling together the concepts of digital certificates, Certificate Authorities, and Registration Authorities (if these terms are unfamiliar to you, they're explained in my article on PKI). Use this application to request, import, and store certificates and certificate revocation lists. It's good practice for when you eventually incorporate digital certificates into your IPSec VPNs.

Clever MUVPN Tricks

Since the new MUVPN client supports so much of the IKE and IPSec standard, you can also experiment with more secure VPN tunnel policies for certain applications. The default MUVPN IKE policy uses Aggressive Mode with DES encryption, and no perfect forward secrecy (PFS). Using the new client's Security Policy Editor, if you have a DSL-based teleworker blessed with a permanent IP address, you can create a VPN tunnel that uses the stronger Main Mode authentication (which brings Triple DES encryption to Phase 1 of establishing your VPN tunnel), Perfect Forward Secrecy and the required Diffie Hellman Group (2) for PFS. You'll have to manually create a Branch Office VPN tunnel at the Firebox for this unique application. Combined with the ZoneAlarm personal firewall, this configuration is far stronger than using one of those "thrown-in" Cable/DSL NAT boxes, and perfect for individual user sites where you simply can't afford a SOHO.

Summary

WatchGuard's new SafeNet client is quite an upgrade from the previous MUVPN client. It installs more cleanly, and has proven interoperable with just about every IPSec security gateway left on the market. It has many features that can help a busy administrator diagnose IPSec remote access problems quickly. You can even tinker with its configuration flexibility and advanced authentication features (certificates) in your copious spare time. I give it a nine. ##

Copyright© 2002, WatchGuard Technologies, Inc. All rights reserved. WatchGuard, LiveSecurity, Firebox and ServerLock are trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and other countries.



Copyright © 1996 - 2002 WatchGuard Technologies, Inc. All rights reserved.