How to connect two firewalls?

We need to build a link from our firewall (Sunbet A) to the firewall of partner company (Subnet B).
Because the physical distance is short, just about one meter. We are going to link
them via a switch or Ethernet cable directly.

Requirements:
- Some users from partner company will stay at our company and need to access DC or file  servers/printers at subnet B(partner company)
- Some users from Subnet A need to access printers or file servers at Subnet B
- Other unnecessary ports/service must be blocked due to security concerns.

Environment:
Both firewalls are Juniper SSG5.
Firewall zone design:
 Firewall Zone design Firewall Zone design
Anything should i take care for the attached design?
Thank you.

dickchanAsked:
Who is Participating?
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
No need for any VPN or public IPs here, as long as the switch is dedicated for A <-> B traffic. That is just overkill.

I would use another zone, not Untrust, for the Intersite traffic (I will call that "Intersite" now).
Define a deny all policy for Trust to Intersite (optionally, but good for debugging if you switch on session logging).
Then define policies for the exceptions, if necessary define the related policy objects like addresses and services.
Create a route on each SSG for the other network using the 10.10.21.0/24 interface.

That should be all. No NAT will be applied that way.
0
 
DIPRAJCommented:
1. BEST you go for site to site IPSEC VPN
2.you need to have static IP(public ip) on both the firewall..
3.if you have static ip on both site then you should go for site to site vpn in ACTIVE-ACTIVE mode
in active-active mode both site will dial
4.if you have one site dynamic ip and other site static ip then you should go for ACTIVE-PASSIVE mode..then the dynamic ip site will be in active mode and that will dial the other one.
5.for accessing server out site. go for static nat..(you should have static ip)..your server local ip will be given to the nic..but anyone want to access the same from out site will type the static ip of that site in his browser and will be able to access the server.
6.printing from a different subnet will not be an issue...take the access of that particular server...add the printer from add printer wizard..and if you have network printer then it will be easier to access the same through vpn.

pls revert if any point missed out or any clarification required
0
 
dickchanAuthor Commented:
Dear Qlemo,
What is the different between use untrusted zone and trusted zone with deny all policy?

Could SSG5 add new zone without affect existing settings? As i know, adding new zone at
Netscreen firewall (old models such as n50) need to reset all settings.
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
dickchanAuthor Commented:
Could we use a crossover LAN cable to connect two firewalls directly, without a switch?
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Yes, you can use a cross-over cable for connecting the SSGs.

There is a fixed handling of traffic passing Trust to Untrust or Untrust to Trust regarding NAT. Every other zone transition needs to have NAT defined in the related policy for having NAT work. The other side of that is that you can't suppress NAT for Trust <-> Untrust - and that is the important part here.

Untrust is exactly that - not trusted, and traffic is first of all "suspicious with exceptions".

Adding new zones (if you can do that - the amount of zones you can use depends on the model and firmware release, SSG5 has 10 zones available AFAIK) does not require you to reset anything.
0
 
dickchanAuthor Commented:
I will use a cross-over cable method.
And add a new trusted zone with a deny all policy.
10.10.20.0/24 <-> 192.168.0.1/24, default gateway 192.168.0.2/24
 <-cross-over cable ->192.168.0.2/24, default gateway 192.168.0.1/24 <-> 10.10.22.0/24

Is that OK?



0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
You should not define a default gateway. Instead, create a specific route to the other site, as I described above.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.