Solved

How to setup a secure connection across public internet?

Posted on 2016-09-09
4
24 Views
Last Modified: 2016-09-10
I'm a novice when it comes to network security and working at a firewall level.  I understand most terms... but Google more than I'll admit too.

I'm trying to setup a secure connection (tunnel?) to a server farm outside of my LANs.  I'm looking to reduce most of my physical server footprint on my location.  The server farm would be expected to house infrastructure servers (DC, DHCP, AV, Monitoring, etc..)  for my LANs.  I'll keep a single DC on site but beyond that I'd like to move everything off-site.  

Our security appliance is a pair of PA3020s.  Our current infrastructure is running on VMs so in theory I could move the VMs to the farm without much hassle.

I've contacted my ISP (which houses the server farm) and before a call I'd like to brush up on what is even possible.

My questions are basic...
 - Is this request "out of the ordinary"?
 - Are there any "standards" for this type of setup?  (encryptions?, connection types?)
 - What are my options for building a secure connection between networks?  (with respect to a PA3020 running 6.1.6OS)
0
Comment
Question by:irishmic33
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Bryant Schaper
ID: 41792004
We could have continued in the same question, but here we go.

No the request is not uncommon, you are simply wanting to secure your public cloud.  If you were using Azure or AWS, you could place a virtual firewall between your cloud hosted devices and the internet so that they are protected.  Sometimes the ISP also offers this as a service, locally I know Centurylink actually offers hosted Palo Altos.

You are planning to run this over the internet, so yes their are some requirements.  I would highly recommend encryption and VPN tunnel, it will make life easier.  You will be basically adding a virtual wire, dont confuse with the PA virtual wire, between your two devices and they can communicate and route as if they were on the same WAN.  For example side one may have IP 172.16.0.1 and side two may have 172.16.0.2

The PA is fully capable of setting this up, you just need to load in the global protect info.
0
 
LVL 2

Author Comment

by:irishmic33
ID: 41792063
Understood.  Thanks for following me over on this one.  I didn't want to pile on the previous question.  I felt this would tangent away.

So I'm still looking for a VPN connection back to my PaloAlto device.  The term VPN is something that I've used as a software client in the past, so I need to correct my thinking that it's a more general term than just a client-host relationship.

I've heard of IPSec and GRE tunnels.  Im guessing these are types of VPNs?  Possibly the GRE is Cisco centric which may be an issue on PA.

When saying "GlobalProtect" settings are referring to the interface on the PA appliance?  Or is the term also common outside of PA?
0
 
LVL 12

Accepted Solution

by:
Bryant Schaper earned 500 total points
ID: 41792073
So for a quick run down, on the pa you need to setup under network profiles you need to add some IKE gateways, and IPSEC and IKE crypto settings.  Then you need add a tunnel interface and IPSEC tunnel.

You can connect the PA to a cisco as well, I actually connect my PA to 18 cisco routers.  I think when I was first doing it, I found how to connect the PA to Microsoft Azure, they had good docs, and then I found another source as well.
0
 
LVL 5

Expert Comment

by:Feroz Ahmed
ID: 41792280
Hi,

You can go for IPSEC Over GRE Tunnel and can make them more Secure connection over Public Interface with the help of Cisco Appliances.Where in you have to configure ISAKMP,IPSEC,Deffie Helman group,Crypto_Map for Tunneling and can make these connections Secure over public Internet.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question