Jump to content


Photo

SSL VPN features in NextGen Firewall VPN

SSL VPN NextGen Firewall

  • Please log in to reply
3 replies to this topic

#1 MILD

MILD
  • Members
  • 2 posts

Posted 22 January 2019 - 09:35 AM

Hello,

 

 

We have 2 appliences of barracuda, 1 SSLVPN 280 and 1 Nextgen Firewall F80, we planned to run the VPN in the newer version, but discovered that it didnt have all the features that the old SSL VPN 280, as an example OTP by email, this made it so we chose the old version.

my question is when will barracuda implement the the old features in the new version of the vpn?



#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 22 January 2019 - 09:46 AM

OTP by email was deprecated deliberately - this was in the legacy SSL VPN appliance since (I believe) before the acquisition of the original vendor in 2008.

 

However, times move on. Where OTP by email used to be "the way that everyone does it", now it's getting too complex (what if I'm overseas in an Internet cafe or public kiosk and don't have the right roaming package to get email on my phone, or I don't have any on-prem mailflow anymore because I use the cloud, or what happens if the email goes to spam because it refers to passwords, etc). The more common approach now is to use Google Authenticator (which is actually nothing to do with Google, but is an implementation of the public RFC 6238 describing Time-based One Time Passwords) - this has a bunch of advantages, the biggest of which is that it's completely offline. If you find yourself somewhere where you have no access to email on your smartphone, as long as you have the smartphone itself and the time is approximately synchronised, you can still log in and get access to what you need. This is supported by the CloudGen Firewall and is the new way to use OTP for authentication. There are also options using RADIUS, some RADIUS server vendors also have the ability to configure multiple authentication factors, which the CloudGen Firewall can take advantage of.

 

The changeover in products between the legacy appliance and the Firewall-integrated SSL VPN made it a perfect time to remove (or not port over) some features which were not commonly used and do not make much sense, OTP by email was certainly one of them and the other missing features you refer to may be in a similar situation. If there are other features which you feel are missing and are still relevant today, then you can submit them to our feedback portal (http://netsecfeedback.barracuda.com/) where they can be reviewed by Product Management, voted for by other customers so that we can get a measure of how important a particular feature is by how many people want it, and potentially implement the feature.



#3 MILD

MILD
  • Members
  • 2 posts

Posted 24 January 2019 - 04:14 AM

Well, its not all companys that have the priviliges of cloud services, as our company in the security buissness cant work with our work overseas and cant take work with us to another continent we use this as a tool inside our borders as such SSL VPN has been great, and what i can see online on reviews and other vpn comparing sites most people who had SSL VPN has now chosen another vpn who can deliver what they need, i prefer barracuda because i have learnd how to use it, and find it a great tool. so i cant think that barracuda haz stuck its head in the sand and seen the screems of their customers dissapointment in the matter.

 

I would love to use the new Nextgenfirewall with google auth but the vpn itself was missing to much from its parrent as we still run the old machine but are in need of an upgrade!



#4 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 24 January 2019 - 04:23 AM

Not sure why you mention "the cloud" - like I said, Google Authenticator is really just a branding name, as we needed a term that customers were familiar with and at the time the feature was developed Google Authenticator was the most common implementation. The protocol itself is generic and used by other vendors, it is not cloud-based and there is no communication between your devices and any third-party. All that is required is that the SSL VPN and your smartphone have the same key to seed a random number generator, and that the time is in sync within ~30 seconds so that they can both independently generate the same random code.

 

For all intents and purposes, you could replace your legacy SSL VPN appliance using OTP-over-email with a CloudGen Firewall using Google Authenticator, and there would be the same level of security with no downsides.

 

Since you are still using a legacy SSL VPN appliance, I should ask you to read the post about maintenance mode. There will be no further upgrades to this appliance, only essential security fixes. No new features have been added since November 2016 when the announcement was made, and none will be added in future. And if you feel there are features missing from the replacement product (the CloudGen Firewall), please post about them in the feedback forum that I gave you the link to, as this is the correct way to address a feature request with the correct visibility by Product Management.