Solved

How to setup a secure connection across public internet?

Posted on 2016-09-09
4
17 Views
Last Modified: 2016-09-10
I'm a novice when it comes to network security and working at a firewall level.  I understand most terms... but Google more than I'll admit too.

I'm trying to setup a secure connection (tunnel?) to a server farm outside of my LANs.  I'm looking to reduce most of my physical server footprint on my location.  The server farm would be expected to house infrastructure servers (DC, DHCP, AV, Monitoring, etc..)  for my LANs.  I'll keep a single DC on site but beyond that I'd like to move everything off-site.  

Our security appliance is a pair of PA3020s.  Our current infrastructure is running on VMs so in theory I could move the VMs to the farm without much hassle.

I've contacted my ISP (which houses the server farm) and before a call I'd like to brush up on what is even possible.

My questions are basic...
 - Is this request "out of the ordinary"?
 - Are there any "standards" for this type of setup?  (encryptions?, connection types?)
 - What are my options for building a secure connection between networks?  (with respect to a PA3020 running 6.1.6OS)
0
Comment
Question by:irishmic33
  • 2
4 Comments
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41792004
We could have continued in the same question, but here we go.

No the request is not uncommon, you are simply wanting to secure your public cloud.  If you were using Azure or AWS, you could place a virtual firewall between your cloud hosted devices and the internet so that they are protected.  Sometimes the ISP also offers this as a service, locally I know Centurylink actually offers hosted Palo Altos.

You are planning to run this over the internet, so yes their are some requirements.  I would highly recommend encryption and VPN tunnel, it will make life easier.  You will be basically adding a virtual wire, dont confuse with the PA virtual wire, between your two devices and they can communicate and route as if they were on the same WAN.  For example side one may have IP 172.16.0.1 and side two may have 172.16.0.2

The PA is fully capable of setting this up, you just need to load in the global protect info.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 41792063
Understood.  Thanks for following me over on this one.  I didn't want to pile on the previous question.  I felt this would tangent away.

So I'm still looking for a VPN connection back to my PaloAlto device.  The term VPN is something that I've used as a software client in the past, so I need to correct my thinking that it's a more general term than just a client-host relationship.

I've heard of IPSec and GRE tunnels.  Im guessing these are types of VPNs?  Possibly the GRE is Cisco centric which may be an issue on PA.

When saying "GlobalProtect" settings are referring to the interface on the PA appliance?  Or is the term also common outside of PA?
0
 
LVL 11

Accepted Solution

by:
Bryant Schaper earned 500 total points
ID: 41792073
So for a quick run down, on the pa you need to setup under network profiles you need to add some IKE gateways, and IPSEC and IKE crypto settings.  Then you need add a tunnel interface and IPSEC tunnel.

You can connect the PA to a cisco as well, I actually connect my PA to 18 cisco routers.  I think when I was first doing it, I found how to connect the PA to Microsoft Azure, they had good docs, and then I found another source as well.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41792280
Hi,

You can go for IPSEC Over GRE Tunnel and can make them more Secure connection over Public Interface with the help of Cisco Appliances.Where in you have to configure ISAKMP,IPSEC,Deffie Helman group,Crypto_Map for Tunneling and can make these connections Secure over public Internet.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now