?
Solved

Allow guest access on branch VPN?

Posted on 2011-09-12
8
Medium Priority
?
364 Views
Last Modified: 2012-05-12
Hello Experts,

We are currently setting up a branch VPN using the following hardware:

SonicWALL NSA 240 @ Main Site
SonicWALL TZ 100 @ Branch Site

The Branch site is only going to be used to replicate our incremental backups after an initial full backup is taken onsite.  However, the "Branch Office" is going to be at our President's home.  In this scenario, what is the best way to secure the "Branch Office" against home internet traffic?  I've already seen his children infect several PCs with all kinds of Malware.  I don't want to take that chance with our corporate network.  The original plan was to get a seperate internet connection all together.  Is that absolutely necessary?
0
Comment
Question by:2_under_par
  • 4
  • 3
8 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 36523514
What hosts will need to be accessed over the VPN? If it's just the President's workstation as he access it via RDP, then you'd only need to allow that IP address and port over the VPN.
0
 

Author Comment

by:2_under_par
ID: 36523536
Only the President's PC and a NAS Device will need access to the VPN.
0
 
LVL 6

Accepted Solution

by:
-tjs earned 750 total points
ID: 36523544
Aside from the fact that since the branch office is "untrusted" and therefore you can't really trust anything coming out of the environment, you could make it slightly more difficult for traffic to enter your main office "accidentally".  You should be able to configre the sonicwall(s) to allow traffic from only one or more IP addresses in the brach office to reach the main office.  You could also put a separate hub/switch/access point in the branch office and run a separate network, and plug that separate network into the sonicwall.

A second internet connection should not be required.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
LVL 33

Expert Comment

by:digitap
ID: 36523583
So, from president's home his workstation and a NAS, right? What about access from the other direction?
0
 

Author Comment

by:2_under_par
ID: 36523713
So, from president's home his workstation and a NAS, right? What about access from the other direction?

Only His workstation needs full access to our main network @ Branch.  

Then, since we're replicating existing backups to the NAS @ the Branch Office, we simply need to copy backups from one NAS @ the main office to a 2nd NAS @ Branch Office.  

Question...  If setting up a second network that plugs into the SonicWall @ Branch, as tjs suggested, would setting that as the exact same subnet as the one at the MAIN office restrict traffic?  
Main Office subnet = 192.168.1.1
Branch Office subnet = 192.168.0.1
President's personal router @ Branch = 192.168.1.1
0
 
LVL 33

Expert Comment

by:digitap
ID: 36523766
What will restrict traffic are firewall rules. I'd not recommend configuring the subnets the same. This will be a nightmare to configure over the VPN. If the traffic is trusted and goes through the sonicwall, then there will be no restrictions. The more complex you setup the networks, the harder it will be to control the traffic. I'd still recommend setting up firewall rules restricting what hosts were allowed to talk to each other over the VPN.
0
 

Author Comment

by:2_under_par
ID: 37455615
SonicWall was extremely helpful when trying to accomplish this.  We wound up placing the President's home wireless router in a DMZ.  All traffic was then seperate.  I wish I could provide more details, but it took about 3 hours for them to finally get it working.  My attention was a bit strained at that point.  
0
 

Author Closing Comment

by:2_under_par
ID: 37455628
Answered the question that the 2nd Internet Connection is not necessary.
0

Featured Post

The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Have a Cisco router that you forgot the password or maybe you bought a used router that is locked with a password? This article will guide you through the steps on how to recover the password on your Cisco gear.
In short, I will be giving a guide on how to install UNMS on a virtual machine in hyper-v and change the default port for security (you don’t need to have a server, since Windows 10 supports hyper-v)
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question