• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 36
  • Last Modified:

How to setup a secure connection across public internet?

I'm a novice when it comes to network security and working at a firewall level.  I understand most terms... but Google more than I'll admit too.

I'm trying to setup a secure connection (tunnel?) to a server farm outside of my LANs.  I'm looking to reduce most of my physical server footprint on my location.  The server farm would be expected to house infrastructure servers (DC, DHCP, AV, Monitoring, etc..)  for my LANs.  I'll keep a single DC on site but beyond that I'd like to move everything off-site.  

Our security appliance is a pair of PA3020s.  Our current infrastructure is running on VMs so in theory I could move the VMs to the farm without much hassle.

I've contacted my ISP (which houses the server farm) and before a call I'd like to brush up on what is even possible.

My questions are basic...
 - Is this request "out of the ordinary"?
 - Are there any "standards" for this type of setup?  (encryptions?, connection types?)
 - What are my options for building a secure connection between networks?  (with respect to a PA3020 running 6.1.6OS)
0
irishmic33
Asked:
irishmic33
  • 2
1 Solution
 
Bryant SchaperCommented:
We could have continued in the same question, but here we go.

No the request is not uncommon, you are simply wanting to secure your public cloud.  If you were using Azure or AWS, you could place a virtual firewall between your cloud hosted devices and the internet so that they are protected.  Sometimes the ISP also offers this as a service, locally I know Centurylink actually offers hosted Palo Altos.

You are planning to run this over the internet, so yes their are some requirements.  I would highly recommend encryption and VPN tunnel, it will make life easier.  You will be basically adding a virtual wire, dont confuse with the PA virtual wire, between your two devices and they can communicate and route as if they were on the same WAN.  For example side one may have IP 172.16.0.1 and side two may have 172.16.0.2

The PA is fully capable of setting this up, you just need to load in the global protect info.
0
 
irishmic33Author Commented:
Understood.  Thanks for following me over on this one.  I didn't want to pile on the previous question.  I felt this would tangent away.

So I'm still looking for a VPN connection back to my PaloAlto device.  The term VPN is something that I've used as a software client in the past, so I need to correct my thinking that it's a more general term than just a client-host relationship.

I've heard of IPSec and GRE tunnels.  Im guessing these are types of VPNs?  Possibly the GRE is Cisco centric which may be an issue on PA.

When saying "GlobalProtect" settings are referring to the interface on the PA appliance?  Or is the term also common outside of PA?
0
 
Bryant SchaperCommented:
So for a quick run down, on the pa you need to setup under network profiles you need to add some IKE gateways, and IPSEC and IKE crypto settings.  Then you need add a tunnel interface and IPSEC tunnel.

You can connect the PA to a cisco as well, I actually connect my PA to 18 cisco routers.  I think when I was first doing it, I found how to connect the PA to Microsoft Azure, they had good docs, and then I found another source as well.
0
 
Feroz AhmedSenior Network EngineerCommented:
Hi,

You can go for IPSEC Over GRE Tunnel and can make them more Secure connection over Public Interface with the help of Cisco Appliances.Where in you have to configure ISAKMP,IPSEC,Deffie Helman group,Crypto_Map for Tunneling and can make these connections Secure over public Internet.
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now