Solved

How to setup a secure connection across public internet?

Posted on 2016-09-09
4
16 Views
Last Modified: 2016-09-10
I'm a novice when it comes to network security and working at a firewall level.  I understand most terms... but Google more than I'll admit too.

I'm trying to setup a secure connection (tunnel?) to a server farm outside of my LANs.  I'm looking to reduce most of my physical server footprint on my location.  The server farm would be expected to house infrastructure servers (DC, DHCP, AV, Monitoring, etc..)  for my LANs.  I'll keep a single DC on site but beyond that I'd like to move everything off-site.  

Our security appliance is a pair of PA3020s.  Our current infrastructure is running on VMs so in theory I could move the VMs to the farm without much hassle.

I've contacted my ISP (which houses the server farm) and before a call I'd like to brush up on what is even possible.

My questions are basic...
 - Is this request "out of the ordinary"?
 - Are there any "standards" for this type of setup?  (encryptions?, connection types?)
 - What are my options for building a secure connection between networks?  (with respect to a PA3020 running 6.1.6OS)
0
Comment
Question by:irishmic33
  • 2
4 Comments
 
LVL 11

Expert Comment

by:Bryant Schaper
ID: 41792004
We could have continued in the same question, but here we go.

No the request is not uncommon, you are simply wanting to secure your public cloud.  If you were using Azure or AWS, you could place a virtual firewall between your cloud hosted devices and the internet so that they are protected.  Sometimes the ISP also offers this as a service, locally I know Centurylink actually offers hosted Palo Altos.

You are planning to run this over the internet, so yes their are some requirements.  I would highly recommend encryption and VPN tunnel, it will make life easier.  You will be basically adding a virtual wire, dont confuse with the PA virtual wire, between your two devices and they can communicate and route as if they were on the same WAN.  For example side one may have IP 172.16.0.1 and side two may have 172.16.0.2

The PA is fully capable of setting this up, you just need to load in the global protect info.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 41792063
Understood.  Thanks for following me over on this one.  I didn't want to pile on the previous question.  I felt this would tangent away.

So I'm still looking for a VPN connection back to my PaloAlto device.  The term VPN is something that I've used as a software client in the past, so I need to correct my thinking that it's a more general term than just a client-host relationship.

I've heard of IPSec and GRE tunnels.  Im guessing these are types of VPNs?  Possibly the GRE is Cisco centric which may be an issue on PA.

When saying "GlobalProtect" settings are referring to the interface on the PA appliance?  Or is the term also common outside of PA?
0
 
LVL 11

Accepted Solution

by:
Bryant Schaper earned 500 total points
ID: 41792073
So for a quick run down, on the pa you need to setup under network profiles you need to add some IKE gateways, and IPSEC and IKE crypto settings.  Then you need add a tunnel interface and IPSEC tunnel.

You can connect the PA to a cisco as well, I actually connect my PA to 18 cisco routers.  I think when I was first doing it, I found how to connect the PA to Microsoft Azure, they had good docs, and then I found another source as well.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41792280
Hi,

You can go for IPSEC Over GRE Tunnel and can make them more Secure connection over Public Interface with the help of Cisco Appliances.Where in you have to configure ISAKMP,IPSEC,Deffie Helman group,Crypto_Map for Tunneling and can make these connections Secure over public Internet.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now