Solved

firewall basics access to 3rd party hosted applications

Posted on 2013-12-05
13
289 Views
Last Modified: 2013-12-20
Out staff access remote 3rd party hosted business application from PC's in our corporate network. I am not from a network background, but access to this application server isnt "public facing", i.e. its an application server in the 3rd parties private network that isnt exposed to the Internet. Am I right in thinking no firewall rules would need to be configured from our side to acheive this access? And they have to open up their firewall to allow access to their application server and our users? I want to establish what communications are open between the 2 networks, and whether the connection exposes any risk to our network? As a general rule I assume there would be no risks to an internal network in such a setup? or what best practices we should be checking to ensure there are no risks by establishing this connection. Please keep answers low tech management freindly.
0
Comment
Question by:pma111
  • 7
  • 6
13 Comments
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
Comment Utility
Normally in this situation one would set up a VPN between the two locations (firewalls) to secure the traffic when traversing the internet.
Additionally (on the remote firewall) they would set up rules to allow only traffic to the application server from your network.
I would also assume that the server is in a DMZ (separated network) so there will be no possibility to get to their internal network.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Can you provide some pointers on what sort of assurance checks we need to do on our side of the VPN setup to ensure data transmitted between the 2 is safe? Are there any risks to our side of the VPN from this type of setup?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
What on our firewall would demonstrate the rules of the VPN connection? Can you give a laymans interpretation?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Let's see,

-The VPN is secure by design, all data going through is encrypted. Try to use the highest level of encryption possible between the two firewalls.
-Use access lists on the firewall(s) to only allow traffic between the application server and your network or, even better, between the application server and the distinct staff machines that will be using the server. Or, even worse, only allow the ports needed for communicating with the server.

Of course 100% security cannot be reached, but this should be a fairly safe setup (in good consultation with the remote side).
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
What on our firewall would demonstrate the rules of the VPN connection? Can you give a laymans interpretation?

Depends on the type of firewall you have and the version of the software running on it. So can't tell right now. And it's always tricky to point that out without getting technical I'm afraid. A basic understanding of firewalls could come in handy :)
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks, so am I right in thinking, on our firewall

- It will list what rules have been established between our site and their application server?
- Can such a VPN setup expose our network, from their app server, i.e can users on their app server access our network?
- When you say VPN is secure by default, how do you mean? Are there not insecure VPN's? Does it not depend on the compatibility of the firewalls as to what encryption they support? Where would you check what encryption is in use?
- Will our firewall list whats protocols can be used to access their remote app server? Or will our firewall open up entire access and its for them to determine what incoming rules are allowed?
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
It will list what rules have been established between our site and their application server
Not quite, your firewall will show what rules apply to the traffic going through the VPN. The other side might have a set of rules of their own.

Can such a VPN setup expose our network, from their app server, i.e can users on their app server access our network
Partly, yes. That depends on how you set up the access lists (like said before).

When you say VPN is secure by default, how do you mean? Are there not insecure VPN's
Well there are less secure VPNs. When using a lower/simpler encryption it's theoretically easier to hack that encryption.

Does it not depend on the compatibility of the firewalls as to what encryption they support
Correct. That's why I said: Try to use the highest level of encryption possible between the two firewalls (i.e. the highest level they both support).

Where would you check what encryption is in use
The VPN settings on the firewall.

Will our firewall list whats protocols can be used to access their remote app server? Or will our firewall open up entire access and its for them to determine what incoming rules are allowed
Depends on how things are set up (access lists). Access lists can be applied on both firewalls. So you will be able to determine what goes through (and what doesn't)
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Ok thanks, but can you give as vierw in this setup are the following rules likely

-our firewall - allow external rules from our network to the 3rd parties network for the protocols required by our staff to use the application" only
-their firewall - allow incoming rules for the protocols required to allow us to use their application only"

I cant see any reason why the 3rd party would need any "incoming rules" to our network? Or any "outgoing" firewall rules from their network into ours?

I assume any "incoming firewall rules" overrule "outgoing firwall rules" anyway, i.e. even if our network has "any protocol" rules to an external network/firewall, unless there firewall agrees/complies, then no connection can be made?

Is there a more technical term for incoming or outgoing rules?
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
BTW the firewall on our side is Cisco ASA
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Ok, I'll answer this the other way round :)

Is there a more technical term for incoming or outgoing rules
Ehr, access lists (ACLs) or rules are fairly commonly used.

I assume any "incoming firewall rules" overrule "outgoing firwall rules"
Nope, both are applied. Normally you only should use ACL's going INto an interface (ACL's are normally applied to an interface.

anyway, i.e. even if our network has "any protocol" rules to an external network/firewall, unless there firewall agrees/complies, then no connection can be made?
Sort of, their firewall should have an ACL to alllow certain traffic from your side. Otherwise no connection can be made indeed.

I cant see any reason why the 3rd party would need any "incoming rules" to our network? Or any "outgoing" firewall rules from their network into ours?
That would be incoming rules applied to traffic from your network. You kind of answered that yourself above :)
And like said, normally you don't use outgoing rules.

-our firewall - allow external rules from our network to the 3rd parties network for the protocols required by our staff to use the application" only
Let me rephrase: you have a set rules of that define what traffic is allowed to go through the VPN to the other side.

-their firewall - allow incoming rules for the protocols required to allow us to use their application only"
Rephrase again :)   they have a set rules of that define what traffic is allowed to come in through the VPN from your side.

Normally those two set of rules should be alike.
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
BTW the firewall on our side is Cisco ASA
Good :)

Then you should be able to define very granularly what is allowed to go through.
0
 
LVL 3

Author Comment

by:pma111
Comment Utility
Thanks erniebeek.

Can you give any pointers where within the ASA software/management console (whats this called?) you can see and/or export a list of

1) firewall rules between the 2 sites (i.e.the VPN setup)
2) the encryption used for the VPN setup between our firewall and theirs?

Are the firewall rules easy to interpret when you export them, or an absolute nightmare? I.e. will we be able to see what incoming rules are allowed from their side of the VPN, and what outgoing rules are allowed from our side of the VPN?
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
The ACL's/rules look like:
access-list somename extended permit tcp <source> <destination> eq <port>
or similar.
Though you can use groups and objects in there, so yes, sometimes it can be a nightmare for those who aren't familiar with it. Also you can have several access lists for several purposes.....

The encryption used depends on the config. You can insert a number of encryption methods and the firewalls negotiate the best one. You can see what the effective permission is by giving the right commands, but the outcome isn't that easy to read.

Is your firewall allready configured for that VPN? You could post a sanitized configuration here. That might be easier to point out for me/us.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

A few months ago I attended the Rocky Mountain IPv6 Summit which was a two-day educational event; it was the 3rd annual conference held here in Denver, Colorado that was held at the Hyatt Regency Denver at the Colorado Convention Center. It was an e…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now