WATCHGUARD® FIREBOX™ SYSTEM

DATA SHEET
WATCHGUARD FIREBOX SYSTEM
®
™
Easy To Install. Easy To Manage. Always Up-To-Date.
Overview
The WatchGuard Firebox System is a comprehensive firewall
and VPN security solution that reduces the time and resources
required to secure your network. Unlike traditional firewall and
VPN products that are difficult to install and maintain, the
WatchGuard Firebox System is simple to install and can be
managed from a central location.
A selection of Firebox models lets you choose the best combination of performance, features and price for your business.
WatchGuard also offers optional products to expand the
capabilities of your Firebox System. Every Firebox
System includes a one-year subscription to the LiveSecurity™
Service, an annual subscription service that delivers software
updates, security information alerts, and technical support
directly to you.
Firebox III System Security Features
TM
The WatchGuard Firebox System includes a comprehensive
suite of security software. WatchGuard’s firewall technologies
let you control incoming and outgoing traffic between the
Internet and your protected networks. Network Address Translation (NAT) makes it possible to hide your internal IP
addresses from the external network, and to allow internal hosts with unregistered IP addresses to function as Internetreachable servers. Mobile User and Branch Office Virtual Private Networking (VPN) allow you to set up secure communication tunnels between your protected network and traveling employees,
branch offices, and trading partners. User Authentication allows you to configure access rules by user or group. URL
Filtering improves productivity by filtering or blocking Web site privileges.
Firewall
• Security Proxies are used to apply filter rules to the
contents of TCP/IP packets.
• Stateful Dynamic Packet Filtering lets you build
filtering rules based on the state of the connection.
• Anti-spamming Filter, SpamScreen ® option enables
you to automatically tag or deny e-mail received from
questionable sources.
Network Address Translation
• Dynamic NAT hides internal IP addresses from the
external network.
• Static NAT allows internal hosts with unregistered IP
addresses to function as Internet-reachable servers.
• One-to-one NAT allows mapping of a range of IP
addresses to an alternate range of IP addresses.
• Scan Detection automatically detects and blocks port
scanning attempts.
• Spoofing Detection protects internal hosts against
spoofing by hostile external hosts.
• Site Blocking prohibits certain Internet addresses from
accessing your protected networks.
• Port Blocking prohibits access to dangerous ports in
your TCP and UDP services.
• Synflood Protection stops Synflood denial of
service attacks.
User Authentication
• Positively identifies users and defines “user” and
“group” policies.
• Authenticates users against Windows NT ® servers,
RADIUS™ - compliant authentication servers (as defined
in RFC 2138), SecurID® and CRYPTOCard® authentication, and WatchGuard’s built-in authentication.
2 | WATCHGUARD FIREBOX SYSTEM
DATA SHEET
WatchGuard Mobile User VPN
URL Filtering (WebBlocker™) Lets You:
Mobile User VPN secures communications between traveling
employees and your protected network. Mobile User VPN
lets you create VPN tunnels in one of two ways:
• Block Web site categories as defined by the CyberPatrol®
database.
• WatchGuard’s PPTP-based Remote User VPN is included
in each Firebox™ System. Traffic is encrypted using RSA
RC4 encryption standard and users are authenticated
using MS-CHAP against a user/password list maintained
in the Firebox configuration.
• WatchGuard Mobile User VPN IPSec clients are available
when you need even more reliability and standardscompliance. These clients are included with the Firebox
1000, 2500, and 4500, and are optional for the Firebox
700 and Firebox SOHO. Once installed, traffic is
encrypted using DES or 3DES-CBC encryption and data
packets are authenticated using MD5 or SHA-1.
• Manually add or block specific sites.
• Customize screen messages for blocked sites.
• Improve productivity by managing employee Internet
access during the workday.
Firebox III Family Appliance Architecture
The WatchGuard Firebox appliance is equipped with a
security-hardened Linux-based operating system, and
dedicated to the task of Internet security. Solid-state
architecture removes the risk of hard drive failure and disk
crashes. Three independent network interfaces allow you to
separate your protected office networks from the Internet
while giving you an optional public network to host Web,
e-mail, or FTP servers.
WatchGuard Branch Office VPN
WatchGuard supports the latest version of the IPSec
standard that uses the Internet Key Exchange (IKE)
protocol for dynamically negotiating keys. IKE enhances
security and enables the Firebox to establish a secure,
standards-based VPN connection with other network
devices that support IKE.
Branch office VPN tunnels may also be established with
WatchGuard’s Proprietary Encryption Protocol using RSA
RC4 encryption standards.
Each network interface is independently monitored and
visually displayed on the front of the Firebox to indicate
connectivity and Armed/Disarmed status. The TrafficMeter
displays the trusted external and optional interfaces (green
bars show the direction of allowed traffic, red lights
indicate denied traffic). The Sys A /Sys B display indicates
whether the Firebox is running your defined security policy
or is in configuration mode.
Firebox SOHO and SOHO|tc Security Features
The Firebox SOHO security appliances offer easy to use broadband firewall protection for small offices and telecommuters
with up to 50 computers. The Firebox SOHO lets you network your computers using a single broadband connection. Just plug
the Firebox SOHO in between your cable, DSL or ISDN router and your network, and you can exchange mail and share files,
printers and other peripherals. You can easily manage your network from your browser.
The Firebox SOHO products support the most current Internet security technology including firewall packet filtering, Internet
sharing, office networking and come with a one-year LiveSecurity Service subscription.
The Firebox SOHO|tc comes with the VPN option that allows you to easily create VPN tunnels for telecommuters and remote users.
VPN tunnels present a simple and secure way to exchange information over the Internet.
• Stateful Dynamic Packet Filtering lets you build
filtering rules based on the state of the connection.
• Security Services support DHCP, PPPoE, ICQ, Real®
Audio/Video, NetMeeting, Intel® Video Phone, and
SOCKS5® (Version 5).
• Remote Management lets you manage the Firebox
SOHO with complete security using 3DES encryption from
a browser-based interface.
• Dynamic NAT hides internal IP addresses from the
external network.
• Anti-Virus protects computers with from viruses using
the McAfee® VirusScan® ASaP anti-virus service.
• Static NAT allows internal hosts with unregistered IP
addresses to function as Internet-reachable servers.
• URL Filtering option is a powerful tool to control Web
usage. WebBlocker™ ensures Web usage is in compliance
with your acceptable use policies.
• Scalable Platform with complete integration with
Firebox III models for maximum security for Internet
distributed enterprises.
• Branch Office VPN option for Firebox SOHO (Included
with SOHO|tc) supports up to 5 concurrent IPSec VPN
tunnels.
• Mobile User VPN option supports up to 5 concurrent
IPSec VPN tunnels.
3 | WATCHGUARD FIREBOX SYSTEM
DATA SHEET
Additional Products
WatchGuard also offers additional products that enhance
the capabilities of your Firebox System, allowing it to grow
with your business.
VPN Manager
WatchGuard High Availability
Simplify Setup and Management of VPNs.
Configure a Redundant Firebox.
WatchGuard’s VPN Manager software lets you set up and
manage multi-site VPNs in three simple steps. 4-node
licenses are included with the Firebox 1000, 2500, and
4500.
WatchGuard High Availability software lets you install a
second, standby Firebox on your network to ensure virtually
uninterrupted network access.
SpamScreen®
Mobile User VPN
Integrate IPSec-Compliant Remote Access.
Mobile User VPN gives your traveling employees secure,
standards-based remote access to your corporate network.
5- to 20-node licenses are included with Firebox 1000,
2500 and 4500.
McAfee VirusScan ASaP
Strong Anti-virus Protection.
WatchGuard and McAfee have joined forces to bring you the
best anti-virus protection available today through a subscription to the McAfee VirusScan ASaP program. A
5-node license is included with Firebox III models, and a
1-node license is included with Firebox SOHO models.
Fight the Deluge of Junk E-mail.
An advanced anti-spamming filter that checks incoming
messages against lists of questionable sources.
WebBlocker™ for Firebox SOHO
Easy to use URL Filtering.
WebBlocker for the WatchGuard SOHO and SOHO|tc is a
powerful tool for managing Web usage in a small office or
remote office.
4 | WATCHGUARD FIREBOX SYSTEM
DATA SHEET
WatchGuard® Firebox™ System Technical Specifications
Component
Technology and Protocols Supported For:
Firebox 700, 1000, 2500, 4500
WatchGuard Secure Management
Management Platforms
• Windows® 95/98/2000/NT® 4.0
Browsers
• Internet Explorer 5.0 and higher
• Netscape Navigator 4.7 and higher
Reporting
• Internet Explorer 5.0 and higher
Management Session
• 3DES-CBC 128-bit encryption
Out-of-Band Management
• PPP, 3DES-CBC 168-bit encryption
Logging
• DES-CBC 56-bit encryption
WatchGuard Security Features
Firewall
Dynamic Stateful Packet
Filter
• All static port TCP/IP services
Security Proxies
• SMTP, HTTP, FTP, DNS, DCE-RPC,
H323, RTSP, RealNetworks,
StreamWorks, VDOLive
Scan Detection
• Proprietary (port and address)
Spoofing Detection
• Proprietary
Site Blocking
• Static (permanent blocking) or
Dynamic (configurable from 1 to
32,767 minutes)
Port Blocking
• Default for easily exploited TCP/IP
services like X Windows and rlogin
Synflood
• Proprietary
Other supported services
Firebox SOHO and SOHO|tc
• Support all leading platforms
• Internet Explorer 5.0 and higher
• 3DES-CBC 128-bit encryption
• All static port TCP/IP services
• DHCP, PPPoE, ICQ, RealAudio/Video,
NetMeeting, Intel Video Phone,
SOCKS V.5
Network Address Translation
Dynamic NAT
• Port-to-internal host mapping
Static NAT
• IP address-to-IP address mapping
One-to-One NAT
• Range-to-range address mapping
• Port-to-internal address mapping
• IP address-to-IP address mapping
5 | WATCHGUARD FIREBOX SYSTEM
DATA SHEET
WatchGuard® Firebox™ System Technical Specifications
Component
Technology and Protocols Supported For:
Firebox 700, 1000, 2500, 4500
WatchGuard Security Features Cont’d
User Authentication
• Windows NT®, RADIUS™, SecurID®,
CRYPTOCard®, and Firebox
Authentication Server.
Branch Office VPN
IPSec Tunnel
• MD5-HMAC authentication algorithm
• SHA1-HMAC authentication algorithm
• DES-CBC 56-bit encryption
• 3DES-CBC 168-bit encryption
• Internet Key Exchange (IKE)
• Manual Key Negotiation
• Phase 1 Negotiation
WatchGuard Proprietary
Tunnel Encryption
Remote User VPN
PPTP Tunnel
• WebBlocker user authentication
• MD5-HMAC authentication algorithm
• SHA1-HMAC authentication algorithm
• DES-CBC 56-bit encryption
• 3DES-CBC 168-bit encryption
• Internet Key Exchange (IKE)
(These options are included with the
SOHO|tc, optional with the SOHO)
• ARC4 40-bit encryption
• RC4 128-bit encryption
• ARC4 40-bit encryption
• RC4 128-bit encryption
IPSec Tunnel (optional with • DES-CBC 56-bit encryption
Firebox 700 and SOHO)
• 3DES-CBC 168-bit encryption
URL Filtering
Controllable Variables
Firebox SOHO and SOHO|tc
• ARC4 40-bit encryption
• RC4 128-bit encryption
• PPTP passthrough
• DES-CBC 56-bit encryption
• 3DES-CBC 168-bit encryption
• IPSec passthrough
• 14 defined Web site categories
• Define user/group access privileges
• Define operational and nonoperational hours access privileges
• Define exceptions to Web site
categories
• 14 defined Web site categories
• Define user/group access privileges
• Define operational and nonoperational hours access privileges
• Define exceptions to Web site
categories
• Web site login protected by SSL
• VeriSign digital certificates
• X.509 V3 certificate, 1024-bit key
• Web site login protected by SSL
• VeriSign digital certificates
• X.509 V3 certificate, 1024-bit key
Code Signing
• VeriSign digital code signing
certificate
• Microsoft Authenticode™
• VeriSign digital code signing
certificate
• Microsoft Authenticode™
Broadcast Availability
• E-mail
• E-mail
LiveSecurity Service
Authentication
6 | WATCHGUARD FIREBOX SYSTEM
DATA SHEET
Firebox 4500
•
•
•
•
•
•
•
•
Firebox 2500
• 3 RJ45 10/100 Tx Ethernet interfaces
• 1 DB-9 serial port
• 500 MHz AMD K6-IIIE+ processor
• 128 MB SDRAM
• 8 MB Flash disk
• 100-240 VAC, 50/60 Hz
• 15.5” W x 2.85” H x 10.5” D
• On-board hardware encryption
Firebox 1000
• 3 RJ45 10/100 Tx Ethernet interfaces
• 1 DB-9 serial port
• 300 MHz AMD K6-IIE processor
• 64 MB SDRAM
• 8 MB Flash disk
• 100-240 VAC, 50/60 Hz
• 15.5” W x 2.85” H x 10.5” D
• On-board hardware encryption
Firebox 700
• 3 RJ45 10/100 Tx Ethernet interfaces
• 1 DB-9 serial port
• 233 MHz AMD K6-IIE processor
• 64 MB SDRAM
• 8 MB Flash disk
• 100-240 VAC, 50/60 Hz
• 15.5” W x 2.85” H x 10.5” D
Firebox SOHO, SOHO|tc
• WAN: 1 RJ45 10BaseT Ethernet interface
• LAN: 4 RJ45 10BaseT Ethernet interfaces
• Toshiba TMPR 3907 CPU
• 4 MB SDRAM
• 1 MB Flash memory
• 6.5” W x 1.0” H x 6.1” D
• On-board hardware encryption
U.S. SALES:
1.800.734.9905
E-MAIL:
information@watchguard.com
INTERNATIONAL SALES:
206.521.8340
ADDRESS:
505 Fifth Avenue S, Suite 500
Seattle, WA 98104
FAX:
206.521.8342
WEB:
www.watchguard.com
3 RJ45 10/100 Tx Ethernet interfaces
1 DB-9 serial port
500 MHz AMD K6-IIIE+ processor
256 MB SDRAM
8 MB Flash disk
100-240 VAC, 50/60 Hz
15.5” W x 2.85” H x 10.5” D
High performance encryption accelerator PCI card
© 2001 WatchGuard Technologies, Inc. All rights reserved.
WatchGuard, SpamScreen and LiveSecurity are either trademarks
or registered trademarks of WatchGuard Technologies, Inc. in the
United States and other countries. Firebox and Designing peace
of mind are trademarks of WatchGuard Technologies, Inc. McAfee
and VirusScan are registered trademarks of Network Associates,
Inc. All other trademarks and tradenames are the property of their
respective owners.
Part # 10001WGCLE500012