firewall basics access to 3rd party hosted applications

Out staff access remote 3rd party hosted business application from PC's in our corporate network. I am not from a network background, but access to this application server isnt "public facing", i.e. its an application server in the 3rd parties private network that isnt exposed to the Internet. Am I right in thinking no firewall rules would need to be configured from our side to acheive this access? And they have to open up their firewall to allow access to their application server and our users? I want to establish what communications are open between the 2 networks, and whether the connection exposes any risk to our network? As a general rule I assume there would be no risks to an internal network in such a setup? or what best practices we should be checking to ensure there are no risks by establishing this connection. Please keep answers low tech management freindly.
LVL 3
pma111Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Ernie BeekExpertCommented:
Normally in this situation one would set up a VPN between the two locations (firewalls) to secure the traffic when traversing the internet.
Additionally (on the remote firewall) they would set up rules to allow only traffic to the application server from your network.
I would also assume that the server is in a DMZ (separated network) so there will be no possibility to get to their internal network.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pma111Author Commented:
Can you provide some pointers on what sort of assurance checks we need to do on our side of the VPN setup to ensure data transmitted between the 2 is safe? Are there any risks to our side of the VPN from this type of setup?
0
pma111Author Commented:
What on our firewall would demonstrate the rules of the VPN connection? Can you give a laymans interpretation?
0
Top Threats of Q1 & How to Defend Against Them

WEBINAR: Join WatchGuard CTO and our Threat Research Team on Aug. 2nd to hear the findings from our Q1 Internet Security Report! Learn more about the top threats detected in the first quarter and how you can defend your business against them!

Ernie BeekExpertCommented:
Let's see,

-The VPN is secure by design, all data going through is encrypted. Try to use the highest level of encryption possible between the two firewalls.
-Use access lists on the firewall(s) to only allow traffic between the application server and your network or, even better, between the application server and the distinct staff machines that will be using the server. Or, even worse, only allow the ports needed for communicating with the server.

Of course 100% security cannot be reached, but this should be a fairly safe setup (in good consultation with the remote side).
0
Ernie BeekExpertCommented:
What on our firewall would demonstrate the rules of the VPN connection? Can you give a laymans interpretation?

Depends on the type of firewall you have and the version of the software running on it. So can't tell right now. And it's always tricky to point that out without getting technical I'm afraid. A basic understanding of firewalls could come in handy :)
0
pma111Author Commented:
Thanks, so am I right in thinking, on our firewall

- It will list what rules have been established between our site and their application server?
- Can such a VPN setup expose our network, from their app server, i.e can users on their app server access our network?
- When you say VPN is secure by default, how do you mean? Are there not insecure VPN's? Does it not depend on the compatibility of the firewalls as to what encryption they support? Where would you check what encryption is in use?
- Will our firewall list whats protocols can be used to access their remote app server? Or will our firewall open up entire access and its for them to determine what incoming rules are allowed?
0
Ernie BeekExpertCommented:
It will list what rules have been established between our site and their application server
Not quite, your firewall will show what rules apply to the traffic going through the VPN. The other side might have a set of rules of their own.

Can such a VPN setup expose our network, from their app server, i.e can users on their app server access our network
Partly, yes. That depends on how you set up the access lists (like said before).

When you say VPN is secure by default, how do you mean? Are there not insecure VPN's
Well there are less secure VPNs. When using a lower/simpler encryption it's theoretically easier to hack that encryption.

Does it not depend on the compatibility of the firewalls as to what encryption they support
Correct. That's why I said: Try to use the highest level of encryption possible between the two firewalls (i.e. the highest level they both support).

Where would you check what encryption is in use
The VPN settings on the firewall.

Will our firewall list whats protocols can be used to access their remote app server? Or will our firewall open up entire access and its for them to determine what incoming rules are allowed
Depends on how things are set up (access lists). Access lists can be applied on both firewalls. So you will be able to determine what goes through (and what doesn't)
0
pma111Author Commented:
Ok thanks, but can you give as vierw in this setup are the following rules likely

-our firewall - allow external rules from our network to the 3rd parties network for the protocols required by our staff to use the application" only
-their firewall - allow incoming rules for the protocols required to allow us to use their application only"

I cant see any reason why the 3rd party would need any "incoming rules" to our network? Or any "outgoing" firewall rules from their network into ours?

I assume any "incoming firewall rules" overrule "outgoing firwall rules" anyway, i.e. even if our network has "any protocol" rules to an external network/firewall, unless there firewall agrees/complies, then no connection can be made?

Is there a more technical term for incoming or outgoing rules?
0
pma111Author Commented:
BTW the firewall on our side is Cisco ASA
0
Ernie BeekExpertCommented:
Ok, I'll answer this the other way round :)

Is there a more technical term for incoming or outgoing rules
Ehr, access lists (ACLs) or rules are fairly commonly used.

I assume any "incoming firewall rules" overrule "outgoing firwall rules"
Nope, both are applied. Normally you only should use ACL's going INto an interface (ACL's are normally applied to an interface.

anyway, i.e. even if our network has "any protocol" rules to an external network/firewall, unless there firewall agrees/complies, then no connection can be made?
Sort of, their firewall should have an ACL to alllow certain traffic from your side. Otherwise no connection can be made indeed.

I cant see any reason why the 3rd party would need any "incoming rules" to our network? Or any "outgoing" firewall rules from their network into ours?
That would be incoming rules applied to traffic from your network. You kind of answered that yourself above :)
And like said, normally you don't use outgoing rules.

-our firewall - allow external rules from our network to the 3rd parties network for the protocols required by our staff to use the application" only
Let me rephrase: you have a set rules of that define what traffic is allowed to go through the VPN to the other side.

-their firewall - allow incoming rules for the protocols required to allow us to use their application only"
Rephrase again :)   they have a set rules of that define what traffic is allowed to come in through the VPN from your side.

Normally those two set of rules should be alike.
0
Ernie BeekExpertCommented:
BTW the firewall on our side is Cisco ASA
Good :)

Then you should be able to define very granularly what is allowed to go through.
0
pma111Author Commented:
Thanks erniebeek.

Can you give any pointers where within the ASA software/management console (whats this called?) you can see and/or export a list of

1) firewall rules between the 2 sites (i.e.the VPN setup)
2) the encryption used for the VPN setup between our firewall and theirs?

Are the firewall rules easy to interpret when you export them, or an absolute nightmare? I.e. will we be able to see what incoming rules are allowed from their side of the VPN, and what outgoing rules are allowed from our side of the VPN?
0
Ernie BeekExpertCommented:
The ACL's/rules look like:
access-list somename extended permit tcp <source> <destination> eq <port>
or similar.
Though you can use groups and objects in there, so yes, sometimes it can be a nightmare for those who aren't familiar with it. Also you can have several access lists for several purposes.....

The encryption used depends on the config. You can insert a number of encryption methods and the firewalls negotiate the best one. You can see what the effective permission is by giving the right commands, but the outcome isn't that easy to read.

Is your firewall allready configured for that VPN? You could post a sanitized configuration here. That might be easier to point out for me/us.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.