Most organisations have taken a piecemeal approach to deploying mobile identity and access management, including VPNs, authentication, or single sign-on products.
Now, with evolving security threats and spiraling costs of managing security, many are looking to deploy integrated security solutions rather than additional disparate products.
Untitled Document TRUSTED IDENTITIES, MANAGED ACCESS Implementing an Identity and Access Management Strategy for the Mobile Enterprise June 2008 Introduction Whether you are looking to securely deliver applications and data to remote employees, secure online business relationships, or deliver convenient identity and access solutions to your end customers, implementing an identity and access management strategy for the mobile enterprise is a key objective for many of today s enterprises. Most organizations have taken a piecemeal approach to deploying mobile identity and access management, including VPNs, authentication, or single sign-on products. Now, with evolving security threats and spiraling costs of managing security, many are looking to deploy integrated security solutions rather than additional disparate products. Whether your requirement is simply for a leading clientless VPN or authentication product, or for a complete entry-to-exit solution for your mobile enterprise, WatchGuard SSL offers a comprehensive, integrated, and secure way to enable any user to connect to specific applications and data resources anytime, anywhere. WatchGuard Technologies www.watchguard.com Untitled DocumentClientless VPN Many organizations start their mobile access strategy with an SSL VPN. Securing communication from a user s device to the applications and data being accessed is critical in ensuring a safe and productive working environment. WatchGuard SSL helps optimize the user experience with the following: " Clientless WatchGuard SSL removes the need to install proprietary software on a remote device and uses standard web browsers (e.g., Internet Explorer, Firefox, Safari) for access. This results in users having access from any location and any device to all designated applications and data through an encrypted connection. WatchGuard SSL keeps deployment and ongoing support easy by eliminating the requirement to install software on remote devices. " Strong Encryption WatchGuard SSL utilizes industry standard encryption to ensure users communications are safe from eavesdropping. " User-Friendly Portal WatchGuard SSL creates a device-friendly portal to present a user s applications and resources. Reduced sign-on allows the user to log on once and have access to everything in the portal. The portal auto-detects the device being used and adapts the browser-based portal according to the form factor of the device. Figure 1: The look and feel of the WatchGuard SSL portal can be customized. This provides users an easy way to access applications and resources all with the click of a button. " Broad Application Side WatchGuard SSL supports all applications including web-based, client/server, mainframe, terminal server, and file servers. " Scalability & Performance The WatchGuard SSL VPN solution allows you to cluster appliances to ensure scalability and performance. " Built-in Business Continuity/High Availability Each WatchGuard SSL Access Point can be mirrored at no additional cost. This guarantees 24x7 access. www.watchguard.com page 2 Untitled Document www.watchguard.com page 3 Authentication Identities can be faked or stolen, which is why organizations must have bullet-proof authentication in place to ensure sensitive data is not breached. WatchGuard SSL provides strong authentication with the following benefits: " Mobile Two-Factor Authentication By using a consumer device the user already owns, such as a mobile phone, PDA, or BlackBerry, users can generate a unique one-time password (OTP). Deploying two-factor authentication becomes convenient and fast. This also lowers costs by removing the need to acquire specialized proprietary hardware. " Web Key Pad Authentication WatchGuard SSL unique one-factor authentication protects the user and organization from keystroke-logging malware. " 3rd Party Authentication Support WatchGuard SSL supports up to 14 different authentication methods including token-based solutions from RSA, Vasco, and VeriSign. WatchGuard SSL makes it easy to leverage the investment you ve made in an existing authentication mechanism. " Cost-Effective to Deploy and Manage with none of the delivery, breakdown, replacement, and on-going management costs of hardware tokens, WatchGuard SSL MobileID offers significantly reduced TCO. Single Sign-on and Federated Identities Remote users interact with multiple back-end applications and data resources during an SSL VPN session. To simplify the user experience, technologies like single sign-on and next generation federated identities mean that disparate application and data resources can appear as one homogenous group. " Single Sign-On Access to resources without having to re-authenticate improves the user experience. " Federated Identity By using the SAML (Secure Assertion Mark-up Language) 2.0 standard, one digital identity can be used to access multiple domains without the need for extra and costly user enrollment. This is ideal for business-to-business partnerships, as well as mergers and acquisitions. " Standards-based WatchGuard SSL utilizes the latest SAML 2.0 standard and is compliant with any existing third-party identity federation deployments. Endpoint Integrity and Protection In order to prevent the introduction of malware to the corporate network, remote end user devices must be checked for integrity to ensure health and policy compliance. As threats to devices increase, this is a crucial step in providing in-depth security. WatchGuard SSL device assessment includes the following: " Deep Device Examination Pre-connection scanning of every device (e.g., laptop or PDA) to ensure policy compliance. Attributes can include network interface information, application, file, or operating system requirements. For example, is anti-virus software installed on the endpoint, and is it up to date? Untitled Document" Real-Time Scanning Continuous scanning of the device throughout a session protects against remote devices that become non-compliant or violate policy during a session. " Access Client Security Ensures only pre-approved applications can connect to the VPN tunnel and protects against external connections through the device into the corporate network by making access exclusive. " Session Cleanup - Removes all traces of access from the endpoint on completion of the session including cookies, URL history, cached pages, registry entries, and downloaded components. " Heterogeneous - ActiveX and Java support means examination of a broad group of devices. Mid-point Integrity New measures must be taken to determine the integrity of wireless access points to ensure no leakage of corporate or personal data. WatchGuard SSL addresses this by offering the following: " WPA Authentication - Authenticate corporate wireless access points with Wi-Fi Protected Access (WPA) " Differentiation Discriminate between users connecting through a pre-authenticated trusted access point, and an untrusted access point. Identity and Access Policy Management Combining all aspects of an identity and access management system into a single, cohesive, and integrated policy delivers significant security, scalability and auditing benefits to an organization. Leveraging the core technologies outlined above, a rich access control policy can be created which adaptively grants granular application and data resource access based on the security of the user s workspace. Factors that can be included in the policy can be: " Endpoint Integrity Grant access based on device type, endpoint integrity, etc. " Authentication Level Grant access based on authentication level (two-factor or one-factor). " User Role Grant access based on a user s role or group membership. For example, is the user in marketing, sales, engineering, or finance? Are they an employee, partner, or customer? " Network Grant access based on whether or not the network is trusted or unknown. " Point of Entry Grant access based on which WatchGuard SSL access point is used (e.g., London, New York, Tokyo) " Point of Entry Depending on which WatchGuard SSL access point is used (e.g., London, New York, Tokyo), determines which local applications may be seen. " Mid-Point Integrity Grants access based on the security of the mid-point integrity check. www.watchguard.com page 4 Untitled Document www.watchguard.com page 5 Audit For regulatory compliance and corporate governance it is imperative that you know who did what, when, and where. WatchGuard SSL includes an array of features that help organizations meet compliance regulations, including: " Consolidated audit WatchGuard SSL collects all identity and access activity (user- or system-based) in a central repository for easy access. This results in quick and in-depth insight into the activities across the organization. WatchGuard SSL is fully compliant with Sarbanes-Oxley, Gramm-Leach-Bliley, HIPAA, Basel II, and 21 CFR Part 11, among many others. " Comprehensive audit In-depth audit of device assessments, authentication, and access collected in a secure, central location. Find out exactly who did what, when, where, and how. " Graphical reports All information in the WatchGuard SSL audit logs can be shown in many different graphical formats, including pie charts, line charts, 3D charts, and bar charts, in both real time and over a historical period. Reports can be run in these different categories: o Assessment o Authentication o Authorization o Access o Audit o Abolish o System health o Performance Untitled Document Figure 2: Exportable reports for further data mining and asset management, WatchGuard SSL can export audit data to Excel or Crystal Reports. www.watchguard.com page 6 Untitled DocumentEnterprise Administration WatchGuard SSL provides a central administration console for administrating all aspects of identity and access control including endpoint integrity, clientless VPN, single sign-on and federated identities, authentication, mid-point integrity, policy management, and auditing for reduced administration costs and enterprise scalability. Other features include: " Delegated Management - Shift administration rights from one organizational level/department to a lower one " Multi-Domain Support - Domain customization for user portal, with central administration " Real-Time Alerts Threshold-based triggers and alerts for proactive awareness through email and SMS. More Information For more information about WatchGuard and the WatchGuard SSL solution, visit www.watchguard.com. ADDRESS: 505 Fifth Avenue South Suite 500 Seattle, WA 98104 WEB: www.watchguard.com U.S. SALES: +1.800.734.9905 INTERNATIONAL SALES: +1.206.613.0895 ABOUT WATCHGUARD Since 1996, WatchGuard Technologies has provided reliable, easy to manage security appliances to hundreds of thousands of businesses worldwide. Our Firebox X family of unified threat management (UTM) solutions provides the best combination of strong, reliable, multi-layered security with the best ease of use in its class. Our newest product line the WatchGuard SSL makes secure remote access easy and affordable, regardless of the size of your network. All products are backed by LiveSecurity Service, a ground-breaking support and maintenance program. WatchGuard is a privately owned company, headquartered in Seattle, Washington, with offices throughout North America, Europe, Asia Pacific, and Latin America. For more information, please visit www.watchguard.com. No express or implied warranties are provided for herein. All specifications are subject to change and any expected future products, features or functionality will be provided on an if and when available basis. 2008 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard Logo, Firebox, and LiveSecurity are either registered trademarks or trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other trademarks and tradenames are the property of their respective owners. Part. No. WGCE66560_062408 www.watchguard.com page 7 Untitled DocumentWatchGuard Technologies, Inc. What a WatchGuard SSL appliance provides for your business:PRODUCTIVITY Remote employees have easy access to essential corporate resources including email, web conferencing, and CRM from any web-enabled device Non-native applications, including SSH and RDP, can be delivered through a remote user s web browser for maximum productivity Time-to-value is determined in minutes. Basic configuration enables end users to simply double-click an icon and authenticate, and the access client automatically loads, establishing an SSL tunnel for complete access to the backend network Desktop-sharing features minimize downtime by allowing your helpdesk to connect to a remote employee s device to troubleshoot technical problemsEASE OF USE An all-in-one appliance just plug and play with no additional software components to buy, install, or manage Users log on once and have access to everything in the portal no need for them to waste time repeatedly re-authenticating themselves IT administrators can have the appliance up and running quickly Consolidated auditing collects all information about access, identity, and system events in a central repository for quick insight into user and system-based activities SECURITY Comprehensive endpoint integrity checking ensures network protection by allowing organizations to configure and enforce endpoint compliance including checks for anti-virus, anti-spyware, firewall software, and many other device attributes Session clean up removes all traces of access from the endpoint including file deletion and cache cleaning to prevent data leakage through another user s covert re-entry to network resources Local and third party authentication support, including strong authentication, ensures only authorized users can access the network, keeping intruders out FLEXIBILITY Client and clientless access including Vista and 64bit support Can be used for the simplest deployment, or IT administrators can take it to the next level by taking advantage of endpoint integrity checking, Java-based application delivery, bi-directional tunneling, and more Uniquely capable of supporting any class of applications. Administrator can choose to publish only web applications, create tunnels to network or specific resources, as well as deliver applications to the desktop for more sophisticated use IT administrators can integrate solution with existing third-party authentication solution, such as Microsoft Active Directory, or rely on onboard LDAP server to configure local authentication, as well as use built-in two-factor authentication including SMS-based tokens and web keypad for identity validation All information in audit logs can be shown in multiple graphical formats for current and historical reporting, and be exported to third-party utilities, such as Excel or Crystal Reports, for further data mining and asset management Recommended for small to mid- size businesses with up to 100 concurrent remote usersThe WatchGuard SSL 100 is an affordable, easy-to-use secure remote access appliance that provides reliable connectivity to corporate data and resources for anywhere, anytime productivity.The beauty of this product is its flexibility. It allows a business to make its secure remote connectivity deployment as simple or as sophisticated as its business requirements dictate, and at a very attractive price.For small businesses looking for extreme ease of use, this means remote access to standard network resources can be maintained with virtually no management overhead. And for end users, remote access is a breeze. Businesses with more complex needs can choose to use a mix of both tunnel and portal-based resources, provide technical support to a remote user s desktop, and control access based on a granular user/device criteria. Earth-friendly technologyWatchGuard SSL 100 allows you to deliver the level of remote access you need, at a price you can afford.WatchGuard SSL 100For anywhere, anytime secure remote access DatasheetUntitled DocumentAddress: 505 Fifth Avenue South, Suite 500, Seattle, WA 98104 " Web: www.watchguard.com " U.S. Sales: 1.800.734.9905 " International Sales: +1.206.613.0895No express or implied warranties are provided for herein. All specifications are subject to change and expected future products, features or functionality will be provided on an if and when available basis. 2009 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, Firebox, Fireware, LiveSecurity, and Core are either trademarks or registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE66629_051109WatchGuard Technologies, Inc.Dimensions and Power for WatchGuard SSL 100 (WG100000)Product Dimensions1.75 x 16.75 x 14.25 (4.5 x 42.6 x 36.2 cm)Shipping Dimensions7.25 x 21.75 x 19.0 (18.4 x 54.6 x 48.3 cm)Shipping Weight13.7 lbs (6.21 Kg)AC Power100-240 VAC AutosensingPower ConsumptionU.S. 60 Watts (860 Cal/min or 205 BTU/hr)Rack MountableYesLCD Navigation Buttons Power Lights Network Status LightsLCD Display Console Port Network InterfacesPower SupplyOn/Off SwitchCooling Fans** WatchGuard SSL 100 supports 100 simultaneous authenticated users, each with multiple connections.IN T E R N E TCRM, Order Entry, InventoryFile ServersFTP, SMB, File & Print ServicesEmail ServersWeb & Application ServersCor orate La to sWatchGuard SSLAuthentication ServicesLocalThird PartyFirebox Xor other FirewallD M ZSecure Client AccessSecure Clientless AccessPublic Computers Partner Computers Mobile DevicesUnmanaged ComputersCRMCRMCRMWatchGuard SSL 100 supports up to 100* concurrent sessions. It is uniquely capable of supporting any class of application. Drop it into your network and your remote users can have access to all the applications they need to stay productive, including web-based, client/server, mainframe, terminal server, file servers, & online collaboration tools. Expert Guidance and SupportLiveSecurity Service from WatchGuard is the most comprehensive support and maintenance offering in the industry, putting a global team of security experts behind you to make the complex job of IT security management easier. LiveSecurity provides: Hardware warranty with advance hardware replacement Free software updates Technical support with a targeted four-hour response time Up-to-the-minute security alerts Innovative educational resources, including podcasts, videos, and handy security-training modules for end usersAn initial 90-day LiveSecurity subscription is automatically activated for a new WatchGuard SSL 100 when the appliance s user packs are activated.