Solved

Best practises Sonicwall firewall tz100 (latest os)

Posted on 2012-03-20
11
583 Views
Last Modified: 2012-08-13
Hi,

I installed a Sonicwall in my home-network and see my LAN network has Internet-access.

I would like to set different things:
-remove Internet-access but only via proxy for most of my network devices
-set specific access to certain sites for specific devices (f.e. update from specific url for NAS)

Please advise on best practises: work with groups etc?
Note that I want to move to VLAN so I want to keep it as flexible as possible (might need to change ip’s).
0
Comment
Question by:janhoedt
11 Comments
 
LVL 2

Expert Comment

by:exTechnology
ID: 37742254
For the proxy I would install a proxy server and point it to the sonicwall so that the users that enter the proxy IP int their IE settings can have internet access, all other PC's deny LAN > WAN
I would also create groups for all protocols / ports that a specific software update service uses and then create one rule in the firewall from that machines ip to the configure services.

Hope this helps
0
 
LVL 16

Accepted Solution

by:
Syed_M_Usman earned 500 total points
ID: 37746524
You have many option, below are drawed in the drawingBest practises Sonicwall firewall tz100
i dont understand the reason of using proxy? you can achive almost all above using SNA. you can use Content Filtering for URL filteration
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37748578
Sonicwall TZ100 offers great UTM most likely you do not need proxy unless you want caching of the pages. Sonicwall can not do it as as per previous post you have a few options. Read about SSO you may like it to give access to specific users or user groups. It requires AD!

For the home network you can use static IPs on your home computers and build ACL on the sonicwall allowing or denying access for LAN to WAN.

Soncwall supports only 5 VLANs you will need L2 switch that can support VLANs and trunking.
You are looking at another $300-$500.

It is difficult to provide "Best practices" as I do not understand all requirements. Good thing is that sonicwall is pretty flexible and most likely you will be able to build a nice solution for the house.

Good luck!
0
 

Author Comment

by:janhoedt
ID: 37804946
I'd need a proxy to connect remote vpn-users to connect to Internet or can I solve this differently? I'm not using the Sonicwall VPN, but Openvpn since I have more option (portable Openvpn-client etc).
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37806979
Hi,

I do not think you need any proxy to connect remote VPN users to internet. They are usually already on the Internet when they are connecting to your head office. You may however scan  give up split tunnel and have all traffic generated by them scanned by sonicwall.

I do not know much about Openvpn-client as most of my customers are commercial institutions and can not afford any security related open technology. Sonicwall offers IPsec VPN with GVC - Windows only, SSLVPN - Windows, Linux, MAC. Mobile Connect (SRA1200) for tablets,  etc and L2TP for everything else. All this with advantage of your gateway security services.

To the PROXY comment. Unless you have very poor internet connection the need for caching proxy does not exist in modern IT. I do not remember when I saw proxy server last time and I 43 ;-) The UTM offers more features and deals with more protocols than any proxy server in the past. Take a look at sonicwalls Application control and visualization along with URL filtering this is most likely what you are looking for. You will need NSA 220 or up to have it.

Another thing that your client will appreciate is reporting with Analyzer. You will be able to justify that the money was well spend.

I hope this answers your questions. If not do not hesitate to contact me.

Good luck!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:janhoedt
ID: 37809854
Regarding the proxy: I'd be happy not to use it. However, when I want remote users to use the Internet of the remote location NOT the one they are connected with throught Internet (and that IS what I want), I don't see another option then setting proxy in Internet Explorer/browser. If you have other suggestions to achieve this, please advise.
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37813845
This is simple. Then kill your "split tunnel" and have them brows through the sonicwall at the head office. Keep in mind that you have to sort out your DNS and VPN ->WAN ports. So you limit their access. I had the clients who got RBL'd because someone at home had a mass mailer and was using office IP to blast spam. Also, this connection will put some overhead on your ISP at the head office.

Otherwise it works out of the box.

Good luck!

Tom
0
 

Author Comment

by:janhoedt
ID: 37833218
Not an option. I need the remote users to be able to choose between remote location or vpn location to surf. They should be able to surf both networks.
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37834011
Then I guess you need your proxy server. You are looking at technology from M86, etc. Keep in mind that you will have to lock down the workstation so users can not change proxy settings on the browser or install  any other browsers (portable apps).
I understand what you are trying to achieve. I is difficult and it will cost some money and require a lot of work.
Perhaps you can look at SOPHOS AV they offer some URL filtering for remote users. Nothing special since it is the first version of the product with this feature but it may work for you.

Let me know what you think about it.
0
 

Author Comment

by:janhoedt
ID: 37837479
Installed Squid proxy a long time ago and works fine. Not that easy to configure but it does work correctly. Just wanted to be sure/doublecheck  that I really need the proxy.
0
 
LVL 3

Expert Comment

by:Konsultant
ID: 37838434
The Squid will work but you need to know what you are doing and this thing requires a lot of attention. If your client is willing to pay for it, than it makes sense. Also, keep in mind that threads are coming over other channels as well and the AV / URL filtering may not be able to pick them up.
I am not sure how good it the URL list on the squid server. I know that it uses some open source thing. Usually you pay some money for it. Unless you use sonicwall as your URL.AV filter for Squid server.
Also, users will be able to run other browsers circumventing your solution.

Anyway, good luck!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now