Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2137
  • Last Modified:

How to connect two firewalls?

We need to build a link from our firewall (Sunbet A) to the firewall of partner company (Subnet B).
Because the physical distance is short, just about one meter. We are going to link
them via a switch or Ethernet cable directly.

Requirements:
- Some users from partner company will stay at our company and need to access DC or file  servers/printers at subnet B(partner company)
- Some users from Subnet A need to access printers or file servers at Subnet B
- Other unnecessary ports/service must be blocked due to security concerns.

Environment:
Both firewalls are Juniper SSG5.
Firewall zone design:
 Firewall Zone design Firewall Zone design
Anything should i take care for the attached design?
Thank you.

0
dickchan
Asked:
dickchan
  • 3
  • 3
1 Solution
 
DIPRAJCommented:
1. BEST you go for site to site IPSEC VPN
2.you need to have static IP(public ip) on both the firewall..
3.if you have static ip on both site then you should go for site to site vpn in ACTIVE-ACTIVE mode
in active-active mode both site will dial
4.if you have one site dynamic ip and other site static ip then you should go for ACTIVE-PASSIVE mode..then the dynamic ip site will be in active mode and that will dial the other one.
5.for accessing server out site. go for static nat..(you should have static ip)..your server local ip will be given to the nic..but anyone want to access the same from out site will type the static ip of that site in his browser and will be able to access the server.
6.printing from a different subnet will not be an issue...take the access of that particular server...add the printer from add printer wizard..and if you have network printer then it will be easier to access the same through vpn.

pls revert if any point missed out or any clarification required
0
 
QlemoC++ DeveloperCommented:
No need for any VPN or public IPs here, as long as the switch is dedicated for A <-> B traffic. That is just overkill.

I would use another zone, not Untrust, for the Intersite traffic (I will call that "Intersite" now).
Define a deny all policy for Trust to Intersite (optionally, but good for debugging if you switch on session logging).
Then define policies for the exceptions, if necessary define the related policy objects like addresses and services.
Create a route on each SSG for the other network using the 10.10.21.0/24 interface.

That should be all. No NAT will be applied that way.
0
 
dickchanAuthor Commented:
Dear Qlemo,
What is the different between use untrusted zone and trusted zone with deny all policy?

Could SSG5 add new zone without affect existing settings? As i know, adding new zone at
Netscreen firewall (old models such as n50) need to reset all settings.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
dickchanAuthor Commented:
Could we use a crossover LAN cable to connect two firewalls directly, without a switch?
0
 
QlemoC++ DeveloperCommented:
Yes, you can use a cross-over cable for connecting the SSGs.

There is a fixed handling of traffic passing Trust to Untrust or Untrust to Trust regarding NAT. Every other zone transition needs to have NAT defined in the related policy for having NAT work. The other side of that is that you can't suppress NAT for Trust <-> Untrust - and that is the important part here.

Untrust is exactly that - not trusted, and traffic is first of all "suspicious with exceptions".

Adding new zones (if you can do that - the amount of zones you can use depends on the model and firmware release, SSG5 has 10 zones available AFAIK) does not require you to reset anything.
0
 
dickchanAuthor Commented:
I will use a cross-over cable method.
And add a new trusted zone with a deny all policy.
10.10.20.0/24 <-> 192.168.0.1/24, default gateway 192.168.0.2/24
 <-cross-over cable ->192.168.0.2/24, default gateway 192.168.0.1/24 <-> 10.10.22.0/24

Is that OK?



0
 
QlemoC++ DeveloperCommented:
You should not define a default gateway. Instead, create a specific route to the other site, as I described above.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now