Solved

Setting up firewall rules for a remote VPN site to site connection

Posted on 2013-11-15
4
439 Views
Last Modified: 2013-12-18
Whilst i work on getting the VPN connection going i'm wondering what firewall rules i will need to protect my internal network from the remote site?

I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)

For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.

Do any of the above activities require traffic from the VPN back in to my LAN?

I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?

Many thanks in advance
Paul
0
Comment
Question by:paulinventome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39650497
Hi paulinventome,

Diagram:
SonicWALL A (Central Site) <----VPN----> SonicWALL B (Remote Site)

If you want to narrow the scope of what Remote Site can have access to then all you need to do is setup the Address Object to whatever resources then need access to. If only one server then isolate to that or if a group then create an Address Object Group. Then in the VPN Policy select the group or Object from the "Choose local network from list" drop-down list under Local Networks in the Network tab. This would allow Any Services across to the specified resource listed in your Address Object(s). If you want to narrow that down you can by creating a Service Object Group (FTP, RDP, etc.) and modify the VPN > LAN Access Rule and instead of Any select the Service Object Group you created.

Make sense?
0
 

Author Comment

by:paulinventome
ID: 39650520
Let me double check.

If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?

I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)

really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.

So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?

thanks
paul
0
 
LVL 25

Accepted Solution

by:
Diverse IT earned 500 total points
ID: 39718612
Sorry, this one slipped through the cracks.

Yes, you are correct and moreover the only way that I know to achieve this is really with Windows permissions, but regardless they will have access to both networks hence the VPN connectivity. However, in theory, you might be able to do this if you are using SSO with SonicWALL or at least having all users authenticate on the SonicWALL and thereby limiting who has access to the tunnel that way. I say in theory because I have not done this in practice.

Let me know if you have any other questions!
0
 
LVL 25

Expert Comment

by:Diverse IT
ID: 39727619
Glad I could help...thanks for the points!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 81
Top honey pots & reviews of canary 7 89
Domain Administrator locked out "Again" 7 91
Bitlocker request key after every windows update 11 101
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

732 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question