WatchGuard Firewall Appliances Free from SSL VPN Vulnerability that Affects Cisco, Juniper and SonicWall
WatchGuard® Technologies, a global leader of business security solutions, today confirmed that its SSL VPN technology used in its multifunction firewall appliances are immune from the recently discovered SSL VPN vulnerability that plagues Cisco, Juniper and SonicWall.
"As mobile workers rely on SSL VPN technology to securely connect to their remote offices or corporate networks, they need reliable connectivity solutions that are free from hackers," said Eric Aarrestad, VP of Marketing at WatchGuard Technologies. "Unlike customers who rely on networking vendors to provide network security, WatchGuard customers can rest assured knowing that their remote and mobile employees can safely and securely connect to mission critical networks, applications and data without exposing their business to undue risks."
This vulnerability, which is in essence a session hijack type of attack, is documented by the US-CERT (United States Computer Emergency Readiness Team) at http://www.kb.cert.org/vuls/id/261869. By convincing a user to view a specially crafted web page, a remote attacker may be able to obtain VPN session tokens and read or modify content (including cookies, script, or HTML content) from any site accessed through the clientless SSL VPN.
Noted by US-CERT is the fact that this vulnerability can be used "to bypass authentication or conduct other Web-based attacks." Currently, there is no known fix. This makes it a worldwide critical issue because of the fact that so many remote and mobile workers use VPN connections to access internal servers for mail, file-share drives, collaboration tools and other critical applications and files.
All WatchGuard multifunction firewall appliances provide highly secure SSL VPN functionality and are not affected by this particular SSL problem as described by US-CERT. WatchGuard customers with up to date Firebox Edge, Core or Peak series are immune. Additionally, the new WatchGuard XTM series of enterprise appliances, XTM 8 Series and XTM 10 Series with SSL VPN capabilities, are not affected.
Additionally, the new WatchGuard SSL VPN stand-alone appliances, the WatchGuard SSL 100 series, are not affected when used with the free WatchGuard Access Client. Furthermore, mirroring US-CERT recommendations, all WatchGuard SSL 100 series come configured to limit URL re-writing to only trusted domains, which further mitigates exposure to this type of threat.