paulinventome
asked on
Setting up firewall rules for a remote VPN site to site connection
Whilst i work on getting the VPN connection going i'm wondering what firewall rules i will need to protect my internal network from the remote site?
I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)
For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.
Do any of the above activities require traffic from the VPN back in to my LAN?
I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?
Many thanks in advance
Paul
I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)
For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.
Do any of the above activities require traffic from the VPN back in to my LAN?
I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?
Many thanks in advance
Paul
ASKER
Let me double check.
If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?
I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)
really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.
So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?
thanks
paul
If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?
I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)
really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.
So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?
thanks
paul
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad I could help...thanks for the points!
Diagram:
SonicWALL A (Central Site) <----VPN----> SonicWALL B (Remote Site)
If you want to narrow the scope of what Remote Site can have access to then all you need to do is setup the Address Object to whatever resources then need access to. If only one server then isolate to that or if a group then create an Address Object Group. Then in the VPN Policy select the group or Object from the "Choose local network from list" drop-down list under Local Networks in the Network tab. This would allow Any Services across to the specified resource listed in your Address Object(s). If you want to narrow that down you can by creating a Service Object Group (FTP, RDP, etc.) and modify the VPN > LAN Access Rule and instead of Any select the Service Object Group you created.
Make sense?