Authentication on PIX, WatchGuard, Safe@Office & SonicWall

From: Tracy Kennison (kennisonCUTITOUT_at_goodnet.com)
Date: 12/11/03 

Date: Thu, 11 Dec 2003 15:26:56 -0700

Kind of a long post (preliminary set up w/questions at the end),
please bear with me.

I am looking to purchase a new firewall appliance to replace a Linksys
Firewall/Router. I am evaluating (strictly from online literature and
downloading the manuals) the following:

Cisco PIX 506E
WatchGuard Firebox III 500
Checkpoint Safe@Office 225
SocicWall Pro 230

The firewall will sit between the Internet and Windows Small Business
Server 2003 (Standard) with 10 XP workstations on the Network. I want
this firewall to provide a strong authentication/authorization
mechanism when accessing the local net remotely (I don't care about
authenticating going from the inside out).

I am currently providing Remote Access using the Remote Web Workspace
that comes with SBS 2003 (which works great btw). This provides a
simple alternative to VPN, and is more of a remote control service
that allows remote users access to their desktop, network drives, and
all their programs at work.

This setup requires me to open ports 443 (https), 444 (Windows
Sharepoint Service), and 4125. (Remote Web Workplace). My reason for
wanting a strong authentication/authorization mechanism on the
firewall is that I am concerned about an exploit being developed that
will directly attack these ports on my server.

However, as I start to look at the above firewalls I run into the
following issues (based on reading, no first hand experience):

With the Cisco PIX 506E it appears that I will have to implement a
TACACS+ Server, since while the firewall provides a local database for
authentication this doesn't (nor does RADIUS) support authorization
entries on the individual services (ports) I want to open. Having to
implement TACACS+ seems like overkill, it should be much simpler.

With the Checkpoint Safe@Office 225 it appears that its
authentication/authorization mechanism is only used for VPN, firewall
configuration, and Web filtering. I don't see anything that shows how
to get access to full FW-1 functionality, which perhaps would allow
this.

With the WatchGuard Firebox III 500 it looks good until I read in the
User Guide (Pg 165-6) that when setting up users for remote access,
one of the steps is to provide their remote IP address. The whole
point of me using a user name mechanism is so I don't have to specify
a specific IP. The users can log on from any number of locations,
most of which are going to have dynamic IPs. The User Guide doesn't
go into much detail on this, so I am hoping that either an "ANY" IP
can be specified, or that this entry can be ignored.

Well with the SonicWall Pro 230 I just started looking at this, so I
don't know yet whether it is going to present an obstacle (VPN only
authentication for example). Maybe this one will be ok, don't know
yet.

Ok now to the questions:

Am I missing something here with regards to the issues with these
firewalls? (for example, does the WatchGuard not require me to
specify an IP for the remote user, or that Safe@Office can
authenticate on ports other than VPN)?

Should I be looking at some other method for authentication, such as
certificates (remembering that I want the authentication to take place
first on the firewall itself, and I don't want to restrict it to only
certain remote IP addresses)?

Am I being too paranoid about having these ports (443, 444, 4125)
open? I do require complex passwords, but I am worried about exploits
on these ports that will negate the authentication taking place on the
server.

Should I be looking at another product or solution? I do want to try
and keep the cost under $1500.

Are there any remote client side issues that are going to be
problematic? (I hear people complain about WatchGuard's Java applet
having to be left open, but I can live w/ something like that)

Any other comments or suggestions would be appreciated.

Thanks
Tracy Kennison

Relevant Pages

  • Re: Another VPN Issue...Say it aint so...
    ... click on "Services and Ports." ... Now how can I configure the firewall within ... but this time disable Firewall and redo remote access ... to make sure I get a good snap-in connection and see what goes on?!? ...
    (microsoft.public.windows.server.sbs)
  • Re: How to enable certain ports ?
    ... >> Magic Online - Firewall Information ... >> If you are playing Magic Online through a firewall, the following ports ... If the 9896 were TCP outbound to remote port ...
    (comp.security.firewalls)
  • Re: Connecting to remote drives
    ... Is this the windows firewall exception that you reconfigured? ... perhaps double-check that you've got the right remote address in there. ... You can go to http://www.whatsmyip.org to see what the server will be seeing as your IP address if you want to be sure. ... Having the NetBIOS ports open to the Internet is a really bad idea. ...
    (microsoft.public.windows.server.networking)
  • Re: Open Ports on 2003 Server (No firewall)
    ... You'll have to configure the firewall to allow those ports. ... Microsoft MVP - Windows NT Server ... > This is a co-located box that we access via Remote Desktop. ...
    (microsoft.public.windows.server.security)
  • Re: XP SP2 and ports required to view a remote event log
    ... So for Windows XP SP2 with an enabled firewall, to handle this, ... Group Policy Settings Reference for Windows XP Professional Service Pack 2 ... Windows Firewall: Allow remote administration exception ... TCP ports 135 and 445. ...
    (microsoft.public.windowsxp.setup_deployment)