Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Web Based VPN Solutions Do It All?

Posted by Cliff on from the aspiring-to-be-jack-of-all-trades dept.

Bingo Foo asks: "My company is in the process of reviewing replacements to our existing multi-platform VPN, which has now been discontinued. I was under the impression that every major vendor's OS ships with a VPN configuration solution. What gives? Are these not standard enough? Are they not secure enough? not flexible enough? Regardless, our IT department is leaning toward a clientless, web-based solution, which frankly sounds too good to be true. Can simply directing your browser at the portal allow X11, NFS, SMB, AFP, ssh, etc. transparently through the firewall? Anyone have experience with Neoteris and their VPN?"

48 comments

  1. It may be web based... by shadwwulf · · Score: 4, Interesting

    but it's not clientless.

    Last time I checked, without a java applet or some sort of client in the html page you can't do socket services. So it's just a client that loads from the web page.

    SW

    1. Re:It may be web based... by buttahead · · Score: 2, Interesting

      "clientless" typically means you don't need to manually install 200 clients. the java client takes care of everything, and when you close the session, there is nothing extra remaining on your system.

      this is also handy if your admins don't like worrying about installing things on your CEO's palm pilot.

    2. Re:It may be web based... by buttahead · · Score: 2, Interesting

      whoops... meant to add that "clientless" is a marketing thing.... so yes there is a client, but it is temporarily running and not installed locally.

    3. Re:It may be web based... by kjs3 · · Score: 1

      This is correct, and it must be the correct JVM. This has been an issue in our testing.

  2. Clientless does work by buttahead · · Score: 5, Informative

    Yes, it does work. It can be handy for connecting via windows/linux/unix/palm/mac and more. The key is that you use a capable browser to download a java (it could be something else) vpn client that runs. When using the browser, SSL protects you, and once the java client is running, you are running a non-installed client.

    I worked for a company, openreach, inc. that did a nice job on clientless VPN, although their bread-n-butter was site to site VPN.

  3. Is it a VPN? by ComputerSlicer23 · · Score: 5, Informative
    From what I've read, it's billed as an extranet. It's not a VPN according to some of the PDF's. Or rather, VPN's are a second generation security solution, and this is a step better then what third generation extranet's provided.

    This essentially looks like a custom security solution to deliver a specific set of protocols, via the web. So if you want to SSH, you connect over SSL to it, and then log into a Web application and run the SSH client. Possibly they have developed a wicked Java applet that runs on the local machine.

    You want to browse the shares, you do it via a web interface. Maybe with IE, it presents the share to you as a webdav environment so you can mount the share directly.

    I don't see anything there that leads me to believe I can run an arbitrary custom application over it. (ironically, this is one of the thinks they knock extranet's for). Call them up, ask if you can securely ship internal data over it.

    It sure looks like they essentially provide you with a proxy server that you connect to over SSL, that will proxy you on, or just give you access to some form of applet on it. Granted a nifty interface is pretty cool. But if all they are doing is providing you a web interface into the services, and not actually extending the network to you (which I have no idea how they could over a browser in any secure way and portable way). I really want to see a portable way to implement security so that I can Samba mount something via a web brower. Then essentially, this is just off the shelf software, put into an embedded system. While it's pretty neato, I'm guessing using apache, webmail, webmin, and a Java based SSH client, I could do all this with free software off the net.

    Ask to see a demonstration, where you get to run SSH on the command line. Ask to do secure copies over it. Ask to see port forwarding done over it.

    Ask to see it run your custom contact manager that your sales people use (Okay, that's what I'd ask for our sales people).

    Ask to see the configurations that allow arbitrary port forwarding. Ask to see how they can forward information from Quake securely, because you'd hate to get fraged by somebody snoping the net... :-)

    The clustering, and failover, and the fact that it's load tested, and has good support, make it extremely valuable. The fact that it has it's security tested, is very good. The actual functionality would be easy to construct with free software off the net as a cool project for a good IT staff.

    If your planning on spending real money with them, request a demo unit to test with for a month. If they won't give one up, I'd pass.

    Maybe they just run a Web version of VNC and let you have access to a client desktop. That'd be pretty cool. Not sure. Maybe it's cooler then I think, but I'm guessing it's not a true VPN solution, and if you want to do anything that isn't on their list of services, you'll need another solution to address that.

    Kirby

    1. Re:Is it a VPN? by foolish · · Score: 1

      Re: SSH.

      Works great, configuration option to limit who/where ssh tunnels can be established.

      Use it to ssh to one of the boxes that I need to check at night. No problems from my end.

    2. Re:Is it a VPN? by wfrp01 · · Score: 1

      So if you want to SSH, you connect over SSL to it, and then log into a Web application and run the SSH client.

      Whaa? Why are you running ssh over a vpn? That sounds like about the most convoluted way of running ssh I've ever heard of.

      --

      --Lawrence Lessig for Congress!
    3. Re:Is it a VPN? by ComputerSlicer23 · · Score: 1
      I'm not saying it's ideal, I'm just saying, that's my take on how the product works. I don't think this product is a VPN. It sure looks like it's an SSL connection to a website, which serves up WebApps to you to run. That's all the product is from my reading. If that's what you want, it's great. However, that isn't a VPN. It's a VPAS (virtual private application server, and yes I just made that up). I don't think the product sounds very useful, I wouldn't pay money for it. That's my personal opinion.

      I run SSH over a VPN, because I don't allow SSH connection from outside of my network. You've got to break the VPN, and then start attacking the network. Hopefully, I notice the VPN break in, and the it means when somebody scans port 22 on my network, I know I have a problem. Right now, out in the wild west that is the internet, port scans on port 22, are run of the mill. 0 day exploits of SSH are a serious problem, and I don't want to lose sleep of it.

      I've considered at various times setting up a specific Apache configuration to allow connections from only my range of IP's at home, and a handful of others I use on a regular basis. Then SSL and password protect an SSH Java Applet that will run under Mozilla/IE with a stock JVM from Sun. Then allow that to SSH into a specific internal machine, and then allow SSH connections from that machine to others. That way, I'd have several sets of logs, and several layers of network services that would have to be compromised to allow you to get onto my network.

      Instead, I just carry a IPSec capable ISO image (IPSec is what our VPN solution uses), and a keychain USB drive with the secret key. I boot of it pull the secret key off the keychain, and login via my VPN client. For extra bonus, no swap partition (so the secret key never ends up on the hard disk platter inadvertantly), only needs about 32MB of ram to boot, and has an ssh client on it. It does dhcp by default, otherwise I hand configure the network. The default firewall rules that are applied before the first interface comes up, ensure the only thing that can connect to me is the public IP of our VPN solution. If I lose my keychain, I immediately pull that key from the list of trusted keys. I want to VPN into the machine, all I need is a machine that boots from the CD-ROM, or that I can make boot from the CD-ROM, and a working ethernet tap. I don't go many places that don't have a cable modem and a computer, so this is pretty handy.

      Kirby

  4. Non standard VPNs still work by mnmn · · Score: 4, Informative

    I dont quite understand how a java applet configures the network interfaces on every OS to allow for VPN. Ive used various VPN solutions, from the ipsec in cisco routers to the pptp in linux and freebsd and l2tp between solaris and windows2000 clients. Also tried CIPE and didnt like the limitation to Windows2000 only.

    pptp/l2tp work with microsoft clients quite well and I dont see any problems there. L2TP being more scalable is preferable but:

    Ipsec is my favorite. It was designed from ground up as a VPN protocol rather than one protocol piggybacking on another. The list of ipsec support on freeswans page is huge for all OSes. It requires some downloads for windows machines, but face it, for any solution at all you will have to patch Windows.

    Oh yeah, just make sure your home network's upload speed is good, and the VPN server is not Windows 2000 (just use linux on a Pentium1) and all is well.

    --
    "Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
    1. Re:Non standard VPNs still work by Spoing · · Score: 1
      Also tried CIPE and didnt like the limitation to Windows2000 only.

      Linux (and *BSD? and OSX?) supports CIPE. I'm fighting with a corporate firewall right now, otherwise I'd be using it.

      Question for those fiddling with a mixed environment; Are the CIPE implementations you've used compatable cross operating systems?

      --
      A firewall can not protect you from yourself. Turn off what you do not need. Do not use the firewall to do your work.
    2. Re:Non standard VPNs still work by Jacco+de+Leeuw · · Score: 1
      Ipsec is my favorite. [...] It requires some downloads for windows machines,

      That does not have to be the case if your read this.

      --
      -------
      Warning: Slashdot may contain traces of nuts.
  5. Re:Linux/*BSD boxes. by innosent · · Score: 1, Informative

    I said "Assuming you need your entire local network to appear", as in "We have an office over here, and an office across town, and need them connected securely." For individual users at home, set up a server at the office, and have them connect a tunnel to that with a login and password (every recent OS lets you do this). In other words, bite my shiny metal ass.

    --
    --That's the point of being root, you can do anything you want, even if it's stupid.
  6. how can you believe anyone... by aminorex · · Score: 0, Flamebait

    how can you believe anyone who publishes a
    grey on white website is competent to swallow
    their own saliva, let alone secure your
    enterprise? or perhaps making an unreadable
    web page is part of their security strategy?
    it's steganography!

    --
    -I like my women like I like my tea: green-
  7. HTTPS != VPN by yabHuj · · Score: 4, Informative

    A "real" VPN gives you a full IP channel between the connected sites - whereas the HTTPS solutions only give you a terminal-server thingie. So this "second gen VPN" is not at all usable for Server2Server or Site2Site connections - only (human) Client2Server.

    Second problem is that the client itself does not authenticate properly against the server. Problem again for nun-human client (usually).

    1. Re:HTTPS != VPN by Anonymous Coward · · Score: 1, Interesting

      That is only partially true. Of course you are right about the site-to-site issue, but your second problem is not correct.
      The client can in some of these solution authenticate with client certificates, and username and password, against RADIUS, LDAP and whatnot. Some even offer multiple authentication stages.
      One product does terminal server, netbios, intranet web proxying and (windows client only, afaik it's active-x based) IP tunneling over SSL.
      I saw outlook to exchange natively over one of these tunnels, looks very promising.
      www.netilla.com

  8. This isn't an advertisement, is it? by Finni · · Score: 1
    Oddly enough, according to this article, Neoteris is one of a handful of SSL VPN companies that DOES have a product that "does it all". The others are Netilla and Aventail.

    The original poster isn't some marketing guy tying to raise awareness of his company's new product, is he?

  9. SSL VPN by moonboy · · Score: 2, Interesting

    My company is evaluating the Neoteris as well as a few other SSL (Secure Sockets Layer) VPN products. They essentially allow SSL sessions to be established over port 443 which allows for encryption of the data. From what I understand, to be able to take advantage of this VPN, applications have to be created/altered to run over SSL, so no they cannot "do it all". However, they do provide an excellent alternative for remote access. They are clientless in that the session is established using a standard web browser and the users already existing username/password login. There is no IPSec client to install and configure which removes (to a large extent) a lot of user issues.

    The SSL VPN is being seen as an alternative to the more traditional IPSec VPN for remote access. IPSec VPNs are still seen as the de facto standard for encrypted, secure site-to-site communications.

    --

    Co-founder and designer at Music Nearby: http://musicnearby.com
    1. Re:SSL VPN by IPAQ2000 · · Score: 2, Informative

      if your organization is like ours and 95% of the time you use the VPN for MS Exchange access, check out the HiPerExchange

      We have a netscreen 10 that has a VPN in it.. It was never implemented because the only access these
      people need is our exchange and the public folders. So there was no need to implement a VPN . and we use the Hiperexchnage and it even MSblaster proof

    2. Re:SSL VPN by Anonymous Coward · · Score: 0

      My organization is not like yours. My organization is not HiPerExchange.

    3. Re:SSL VPN by foolish · · Score: 1

      The reason that most of Neoteris' clients seem to be using it is for the same reason we are: the client doesn't have to be at their home/field machine, with a clear IPSec tunnel to the firewall.

      This is very attractive for field users, consultants (shudder) and obnoxious executives. They only have to remember a webaddress instead of "complicated" VPN setups. Have 443 access?, you're in.

      It is NOT a 100% or even in my estimation a 90% solution, but since it meets my 80-20 rule metric, it gets a nod.

      Personally, as the person who has to deal with the security complications this creates, I would rather have everyone come login locally. (can you say virus/security nightmare vectors?)

  10. SSL and man-in-the-middle by hey! · · Score: 1

    Hmmm. Isn't SSL vulnerable to man-in-the-middle attacks?

    --
    Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
    1. Re:SSL and man-in-the-middle by etcshadow · · Score: 3, Informative

      Well, the way you get around man-in-the-mddle, in general, is with some form of pre-shared secrets. If you use asymetric keys for your pre-shared secrets, then the only thing you actually have to worry about is the safe, unmolested, broadcast of public-keys.

      The last thing is that you can use a so-called "chain of trust" to safely broadcast public keys. All that you need is one public key on your computer that you absolutely trust, and then the holder of the matching private-key can "sign" other people's public keys (thus ensuring safe broadcast). This last is called a certificate authority (CA for short), and is the role that companies like verisign serve. You pay them to sign your public key, and then because I trust their key, I trust their signature, and I trust your public key. Now that I have your public key (and I know no one has messed with it in transit), and you have your private-key (and you know that no one else knows it), then we have a pre-shared secret, so we can't be man-in-the-middled.

      That's the basic deal. The most interesting thing about it is that there needs to be at least one completely vulnerble transfer of information (receiving the public-key of the certificate authority), and this is usually done when your OS (or web browser) is being installed, presumably from a safe copy on a disk or some such... but if someone "man-in-the-middled" that original transfer of information (how do you man-in-the-middle a disk? well, swap the disks, maybe) then they've totally got your ass.

      --
      :Wq
      Not an editor command: Wq
    2. Re:SSL and man-in-the-middle by Tony-A · · Score: 1

      but if someone "man-in-the-middled" that original transfer of information (how do you man-in-the-middle a disk? well, swap the disks, maybe)

      Hmmm,
      "Security Upgrade"
      Swap the disks AFTER THE FACT

      Performs normally on most original ....
      Recognizes "special" inputs such as sequence so that md5sum will report the specified value rather than computed value.
      Trust a hard-coded special certificate as well as the normal.

      Put the trojaned? executables into where backups are recovered from. Only later when recovery is made are the executables trojaned.

      Any Security Upgrade that uses its own installer is suspect. In fact any Security Upgrade is itself suspect. This is from someone so paranoid that I have systems with login and password writ large on the keyboard ;)

  11. Re:Linux/*BSD boxes. by duffbeer703 · · Score: 1

    Believe it or not, my employer looked into doing just that to allow employees to check email from home!

    --
    Conformity is the jailer of freedom and enemy of growth. -JFK
  12. Re:Linux/*BSD boxes. by Anonymous Coward · · Score: 0

    And then, six minutes later, your employer said, "Holy shit, that's a terrible idea! Email can be handled with IMAP over SSL. Problem solved."

    See? It all works out for the best.

  13. Big deal... by Anonymous Coward · · Score: 0

    I don't undestand what the big deal is with this - Cisco could easily create a java client that will work with their concentrators as well... Now will they do it? Maybe not, but just because it's java, it doesn't mean it's better. And from security perspective, just get an RSA/ACE server with SecuID tokens and you are done.

  14. True enough by phorm · · Score: 1

    What I've been trying to do is build a VPN-style bridge between my internal network and outside windows machines.

    So far, nothing in linux world seems to suit my needs, but the original principle was that I wanted to be able to tunnel my internal IPX/SPX connection (games) through TCP/IP on a VPN channel out to external machines.

    For games where I want to play against my friends LAN-style but without sometimes boggy servers such as battle.net etc it would be nice. It also helps get around CD-key issues (I have the original disk, but want to use 2+ machines on my end when people are over).

    I don't think the Java solution would cut it for this either, but perhaps somebody can offer a better solution (freeswan doesn't seem to do it, or I am using it wrong as well)

    1. Re:True enough by yabHuj · · Score: 2, Informative

      I guess ipxtunnel
      (http://www.linux.org/docs/ldp/howto/IP X-HOWTO-15. html) did not help you?

      Beware: most VPN solutions (IPSec, PPTP, ...) don't implement IPX - just IP.

    2. Re:True enough by phorm · · Score: 1

      Unfortunately no. I could use this to others using nix routers or whom had a local 'nix machine - but in my case I'm trying to tunnel my local IPX for windows machines through linux. Those on the other end don't have 'nix machines (just crappy windows ones), so they couldn't use this.

  15. Re:This isn't an advertisement, is it? by Bingo+Foo · · Score: 1
    The original poster isn't some marketing guy tying to raise awareness of his company's new product, is he?

    No, I'm not. I work for a medium-sized non-IT R&D lab, where Windows, Macs and various Unix/Linux machines are all well represented. We do have a unit from Neoteris to test for a month, but it isn't us end users who are testing it (yet).

    With respect to some of the things that are being brought up in this thread, Getting mail through is a given, but our IT department would be asking for serious trouble if they greenlighted this for supporting IMAP and SMB mounts alone. What I'm concerned about is that ssh with X forwarding, Vnc, and other more specialized (and more useful) things like iTunes music sharing might be overlooked in the process.

    --
    taken! (by Davidleeroth) Thanks Bingo Foo!
  16. Re:This isn't an advertisement, is it? by foolish · · Score: 1

    You can nail down the environment by user group. So they can or cannot connect to: SMB shares, web resources, ssh sessions, etc.

    They're getting more exotic in 3.2 and higher versions, allowing some NetBIOS activity and more of the traditional "Full Ride VPN".

    They're still struggling with WebDAV for some reason, but overall making very quick and positive progress.

    Also, once item of convenince is that it allows your field user to connect, even if they are doing so from behind a firewalled resource, 80/443 are generally available to people if they are on the net.

    If you've ever had to troubleshoot a thousand people's IPsec client connections, you know what a pain firewalls in the middle of the stream can wreck.

    Just some info.

  17. SSL and VPN's by freebase · · Score: 3, Interesting

    While I don't have direct experience with the product line mentioned in the question, I have implemented Aventail in the past, and am looking at them again for a project next year.

    For the most part, SSL VPN products differ from IPSEC VPN products in a fundamental way. SSL VPN products can best be imagined as reverse proxy servers that use SSL based encryption. Typically, it is the SSL VPN device that will be making connections to the "protected" network hosts, not the remote node. TCP sessions are maintained remote node to SSL device, and SSL device to "protected" host.

    IPSEC products can be imagined more as encrypted water hoses. A device (or client shim) intercepts traffic at the remote node, puts it in the hose (encrypted tunnel), and pushes it out to the IPSEC device at the protected network. TCP sessions are maintained remote node to "protected" host.

    Although the tunnel does normally imply some stateful translation, the session does not terminate on a tunnel device, unless that device is the remote node.

    Obviously SSL products are great for Web based applications. IPSEC products lend themselves best to site-to-site connectivity. The grey area between them is remote client situations.

    Which solution is better in the remote client (i.e. laptop in a hotel room, or at a client's site) really depends on the where and how the remote client is to be used.

    Many organizations don't allow IPSEC tunnels to be initiated from their internal network to an outside location.

    On the other hand, those same organizations (and many others) will allow outbound SSL traffic initiated from hosts on the internal network.

    --
    Sig??? I don't need no stinkin Sig!
    1. Re:SSL and VPN's by argent · · Score: 1

      The whole idea of calling an SSL tunnel a "VPN" connection is really abusive marketing.

      You used to be able to say "OK, that's a VPN, it's something that provides a virtual network connection, you get network layer access over it". Now it's "OK, that's a VPN, now is it a network connection or is it a middleware tunnel or a proxy?".

      Also, this produces a false dichotomy between "IPSEC" and "SSL". There are VPN technologies that aren't built on top of IPSEC (PPPoE, PPTP, etc). There are other virtual proxy techniques that should be classified alongside "SSL VPNs", such as SSH.

      This naming mess causes real problems. People "know" that "VPNs are secure", so encrypted remote access technologies that are just as secure and provide more limited access aren't allowed in a number of places where VPN access is just fine.

      Which is why the whole "SSL VPN" name game came from.

      Maybe I should just tell people I'm using an "SSH VPN" and have done with it.

  18. Cisco 3000 Series VPN Concentrators by doogles · · Score: 2, Informative

    You mention you had Cisco CVPN 5000 Series; did you not get your free CVPN 3000 Series? Cisco recognized that they axed the 5000s a little too quickly after they bought Compatible Systems and was giving customers free CVPN 3000s as replacements.

    The CVPN 3000 Series are nice; there are clients for just about every OS under the sun (Windows XP, 2000, Me/98, OS X, OS 8/9, Linux, Solaris) and it's a nice, centrally-managed solution where the client slaves everything from the head-end VPN Concentrator. Supports Split Tunneling, has a built in stateful firewall, and other goodies.

  19. secure remote access by penguin7of9 · · Score: 1

    If you want secure remote access through a web page, you can use an unsigned Java ssh and/or Java VNC applet. But that's the only thing you can do without significant problems (well, to the degree that Java itself isn't already a problem).

    For a true VPN, code running in the browser or invoked by the browser needs to get access to low-level networking, and there is no way in which that can be done without additional user intervention.

    In the simplest case, you may be able to create a signed Java applet, but that will not simply run, it will at least require permission from the user to do something unsafe, and telling your users to give Java applets that kind of permission is not a good idea. Also, the Java APIs for building this kind of software are pretty limited, and I doubt you can do a true VPN implementation in Java.

    Another choice would be ActiveX components. Again, they need to be signed and they require permission from the user. They could work in principle, but they only work for Windows. And you are probably going to have lots of support hassles anyway, with incompatibilities and software conflicts.

    I think applet-based SSH and VNC are useful. But if you want a real VPN, your best bet is to go with an open standard like IPsec and to use a simple, stand-alone application with a good GUI to both start up the network connection and the VPN. That way, your users get secure access with a single click. What more do you eant?

  20. Some info on another SSL VPN company by pcause · · Score: 1

    There are SSL solutions. Look at

    http://www.whalecommunications.com

    They have a nice paper explaining SSL VPN's. These provide access to applications from a remote location. As I understand it they do not provide connection for a remote PC to the intranet. You get control of which applications are made available to which users.

  21. Re:Linux/*BSD boxes. by Anonymous Coward · · Score: 0

    Haha! No... they decided that Outlook Web Access w/ exchange 5.5 was the way to go...

  22. i-Planet used to do this by garyebickford · · Score: 1

    At the time that Sun bought them (1999?), iPlanet did just this. It was realy great. The iPlanet server sat on the firewall, and was accessible via the web. Once you were authenticated according to whatever system your company used, you were provided links to the tools for which you were authorized.

    When you clicked on the link to a service (for example an NT server running SQL Server in San Jose) the iPlanet server downloaded to your workstation a java "netlet" that formed a secure tunnel between your workstation and the iPlanet server, which forwarded your access to the target service. You were seamlessly connected to your desired service.

    In the demo I saw we were able to access a variety of different applications, even including services that interfaced with applications on the user machine - like an IBM terminal app.

    Once Netscape server was renamed iPlanet, this product seems to have disappeared, though it was originally the entire point of iPlanet. I've long wondered why so. I thought it was great, because a road warrior could get access to internal systems from any internet connection anywhere via a secure pipe.

    I suppose writing the netlets could be problematic for a company that had a lot of different O.S. platforms, but most companies keep that to a minimum and iPlanet evidently had a good set of netlets predefined.

    I expect that any new tool like this would be done using the Web Services paradigm, which trades yet-another-layer for a nice separation of application design from network and interface design.

    --
    It's easier to be a result of the past, but more fun to be a cause of the future! http://www.spacefinancegroup.com/
    1. Re:i-Planet used to do this by Anonymous Coward · · Score: 0

      IPlanet still does. Now it is called Sun ONE Portal Server. It uses a Java applet that does port forwarding from the client. it is not a complete VPN, since there are things it cannot handle, however it does do arbitrary ports, and can run most applications on the client.

  23. Re:Linux/*BSD boxes. by shaitand · · Score: 1

    time to get a new employer, that's not saying much for your job security...

  24. I'm Calling You Out by Farley+Mullet · · Score: 1

    You, sir, are an astroturfer. Your user page shows that you have posted 6 comments on /., and each and every one of them contains a link to either the "hiperexchange.com" domain or the "seasidesw.com" domain.

    So either you're a HiPerExchange astroturfer, or you are the most devoted fan a MS Exchange utility ever had. YHL. HAND.

  25. very last post by Ruby+last+post · · Score: 1

    Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins, Grumpy Watkins,

    --
    Ruby Sleeps