Solved

How to setup a secure connection across public internet?

Posted on 2016-09-09
4
20 Views
Last Modified: 2016-09-10
I'm a novice when it comes to network security and working at a firewall level.  I understand most terms... but Google more than I'll admit too.

I'm trying to setup a secure connection (tunnel?) to a server farm outside of my LANs.  I'm looking to reduce most of my physical server footprint on my location.  The server farm would be expected to house infrastructure servers (DC, DHCP, AV, Monitoring, etc..)  for my LANs.  I'll keep a single DC on site but beyond that I'd like to move everything off-site.  

Our security appliance is a pair of PA3020s.  Our current infrastructure is running on VMs so in theory I could move the VMs to the farm without much hassle.

I've contacted my ISP (which houses the server farm) and before a call I'd like to brush up on what is even possible.

My questions are basic...
 - Is this request "out of the ordinary"?
 - Are there any "standards" for this type of setup?  (encryptions?, connection types?)
 - What are my options for building a secure connection between networks?  (with respect to a PA3020 running 6.1.6OS)
0
Comment
Question by:irishmic33
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 41792004
We could have continued in the same question, but here we go.

No the request is not uncommon, you are simply wanting to secure your public cloud.  If you were using Azure or AWS, you could place a virtual firewall between your cloud hosted devices and the internet so that they are protected.  Sometimes the ISP also offers this as a service, locally I know Centurylink actually offers hosted Palo Altos.

You are planning to run this over the internet, so yes their are some requirements.  I would highly recommend encryption and VPN tunnel, it will make life easier.  You will be basically adding a virtual wire, dont confuse with the PA virtual wire, between your two devices and they can communicate and route as if they were on the same WAN.  For example side one may have IP 172.16.0.1 and side two may have 172.16.0.2

The PA is fully capable of setting this up, you just need to load in the global protect info.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 41792063
Understood.  Thanks for following me over on this one.  I didn't want to pile on the previous question.  I felt this would tangent away.

So I'm still looking for a VPN connection back to my PaloAlto device.  The term VPN is something that I've used as a software client in the past, so I need to correct my thinking that it's a more general term than just a client-host relationship.

I've heard of IPSec and GRE tunnels.  Im guessing these are types of VPNs?  Possibly the GRE is Cisco centric which may be an issue on PA.

When saying "GlobalProtect" settings are referring to the interface on the PA appliance?  Or is the term also common outside of PA?
0
 
LVL 12

Accepted Solution

by:
Bryant Schaper earned 500 total points
ID: 41792073
So for a quick run down, on the pa you need to setup under network profiles you need to add some IKE gateways, and IPSEC and IKE crypto settings.  Then you need add a tunnel interface and IPSEC tunnel.

You can connect the PA to a cisco as well, I actually connect my PA to 18 cisco routers.  I think when I was first doing it, I found how to connect the PA to Microsoft Azure, they had good docs, and then I found another source as well.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41792280
Hi,

You can go for IPSEC Over GRE Tunnel and can make them more Secure connection over Public Interface with the help of Cisco Appliances.Where in you have to configure ISAKMP,IPSEC,Deffie Helman group,Crypto_Map for Tunneling and can make these connections Secure over public Internet.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding 14 153
Sonicwall blocks a site 49 78
Accessing SQL Server Instance from outside the network 29 110
Need a device to send message to phone when power is out 3 78
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question