[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Setting up firewall rules for a remote VPN site to site connection

Posted on 2013-11-15
4
Medium Priority
?
464 Views
Last Modified: 2013-12-18
Whilst i work on getting the VPN connection going i'm wondering what firewall rules i will need to protect my internal network from the remote site?

I have 3 zones off the SonicWall i'm using. WAN, LAN and VPN. The WAN->LAN is set to deny everything (i'm not sure whether anything from the outside needs to come back in?)

For the VPN, what kind of draconian rules can i have, I presume i cannot deny everything? I'm mainly using the VPN to Remote Desktop to servers, FTP onto internal machines and using TFS source safe. Sometimes i connect to windows shares there to copy details.

Do any of the above activities require traffic from the VPN back in to my LAN?

I'm a little uncertain how firewalls work in this case. So to bring back FTP data, would i need to open FTP ports back to my LAN?

Many thanks in advance
Paul
0
Comment
Question by:paulinventome
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39650497
Hi paulinventome,

Diagram:
SonicWALL A (Central Site) <----VPN----> SonicWALL B (Remote Site)

If you want to narrow the scope of what Remote Site can have access to then all you need to do is setup the Address Object to whatever resources then need access to. If only one server then isolate to that or if a group then create an Address Object Group. Then in the VPN Policy select the group or Object from the "Choose local network from list" drop-down list under Local Networks in the Network tab. This would allow Any Services across to the specified resource listed in your Address Object(s). If you want to narrow that down you can by creating a Service Object Group (FTP, RDP, etc.) and modify the VPN > LAN Access Rule and instead of Any select the Service Object Group you created.

Make sense?
0
 

Author Comment

by:paulinventome
ID: 39650520
Let me double check.

If i have my main workstation, which is accessing the remote site via the VPN connection. How do i lock down access back to my workstation - is it a case of ensuring that windows sharing etc,. is turned off on the workstation itself?

I understand that i can limit the scope of the tunnel to a smaller set of address objects rather than my entire network range, but that policy has to be updated on the other side, otherwise the VPN tunnel won't match (in other words i have to decide now which machines can access the tunnel where i want the ability for any workstation i have to potentially get there)

really i want the tunnel active for my entire network range but i want to protect someone the other side getting back into my network.

So the idea of Denying traffic from the VPN to my LAN may prevent me from accessing the servers on the other side? Is that the case?

thanks
paul
0
 
LVL 26

Accepted Solution

by:
Blue Street Tech earned 2000 total points
ID: 39718612
Sorry, this one slipped through the cracks.

Yes, you are correct and moreover the only way that I know to achieve this is really with Windows permissions, but regardless they will have access to both networks hence the VPN connectivity. However, in theory, you might be able to do this if you are using SSO with SonicWALL or at least having all users authenticate on the SonicWALL and thereby limiting who has access to the tunnel that way. I say in theory because I have not done this in practice.

Let me know if you have any other questions!
0
 
LVL 26

Expert Comment

by:Blue Street Tech
ID: 39727619
Glad I could help...thanks for the points!
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OpenVPN is a great open source VPN server that is capable of providing quick and easy VPN access to your network on the cheap.  By default the software is configured to allow open access to your network.  But what if you want to restrict users to on…
Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question