Setting up firewall rules for a remote VPN site to site connection

Whilst i work on getting the VPN connection going i'm wondering what firewall rules i will need to protect my internal network from the remote site?

I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)

For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.

Do any of the above activities require traffic from the VPN back in to my LAN?

I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?

Many thanks in advance
Paul
paulinventomeAsked:
Who is Participating?
 
Blue Street TechLast KnightCommented:
Sorry, this one slipped through the cracks.

Yes, you are correct and moreover the only way that I know to achieve this is really with Windows permissions, but regardless they will have access to both networks hence the VPN connectivity. However, in theory, you might be able to do this if you are using SSO with SonicWALL or at least having all users authenticate on the SonicWALL and thereby limiting who has access to the tunnel that way. I say in theory because I have not done this in practice.

Let me know if you have any other questions!
0
 
Blue Street TechLast KnightCommented:
Hi paulinventome,

Diagram:
SonicWALL A (Central Site) <----VPN----> SonicWALL B (Remote Site)

If you want to narrow the scope of what Remote Site can have access to then all you need to do is setup the Address Object to whatever resources then need access to. If only one server then isolate to that or if a group then create an Address Object Group. Then in the VPN Policy select the group or Object from the "Choose local network from list" drop-down list under Local Networks in the Network tab. This would allow Any Services across to the specified resource listed in your Address Object(s). If you want to narrow that down you can by creating a Service Object Group (FTP, RDP, etc.) and modify the VPN > LAN Access Rule and instead of Any select the Service Object Group you created.

Make sense?
0
 
paulinventomeAuthor Commented:
Let me double check.

If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?

I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)

really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.

So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?

thanks
paul
0
 
Blue Street TechLast KnightCommented:
Glad I could help...thanks for the points!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.