Solved

Setting up firewall rules for a remote VPN site to site connection

Posted on 2013-11-15
4
413 Views
Last Modified: 2013-12-18
Whilst i work on getting the VPN connection going i'm wondering what firewall rules i will need to protect my internal network from the remote site?

I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)

For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.

Do any of the above activities require traffic from the VPN back in to my LAN?

I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?

Many thanks in advance
Paul
0
Comment
Question by:paulinventome
  • 3
4 Comments
 
LVL 24

Expert Comment

by:diverseit
ID: 39650497
Hi paulinventome,

Diagram:
SonicWALL A (Central Site) <----VPN----> SonicWALL B (Remote Site)

If you want to narrow the scope of what Remote Site can have access to then all you need to do is setup the Address Object to whatever resources then need access to. If only one server then isolate to that or if a group then create an Address Object Group. Then in the VPN Policy select the group or Object from the "Choose local network from list" drop-down list under Local Networks in the Network tab. This would allow Any Services across to the specified resource listed in your Address Object(s). If you want to narrow that down you can by creating a Service Object Group (FTP, RDP, etc.) and modify the VPN > LAN Access Rule and instead of Any select the Service Object Group you created.

Make sense?
0
 

Author Comment

by:paulinventome
ID: 39650520
Let me double check.

If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?

I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)

really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.

So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?

thanks
paul
0
 
LVL 24

Accepted Solution

by:
diverseit earned 500 total points
ID: 39718612
Sorry, this one slipped through the cracks.

Yes, you are correct and moreover the only way that I know to achieve this is really with Windows permissions, but regardless they will have access to both networks hence the VPN connectivity. However, in theory, you might be able to do this if you are using SSO with SonicWALL or at least having all users authenticate on the SonicWALL and thereby limiting who has access to the tunnel that way. I say in theory because I have not done this in practice.

Let me know if you have any other questions!
0
 
LVL 24

Expert Comment

by:diverseit
ID: 39727619
Glad I could help...thanks for the points!
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now