Customer Firewall Behind Our Firewall

I have an issue which i am trying to figure out we are a small company and we have some customer automated test equipment on site which they want to remotely manage.  These testers are old they have to my knowledge no AV and some still run windows XP.  We have our own testers which run windows 7 but no AV or Malware protection and they absolute do not go on the network.  AV software interferes with the test software and windows updates are never done so not to change the config.  What I am suggesting is dropping another internet line to the building having their firewall connected directly to their equipment its completely isolated from our network no problem.  But I guess what they are suggesting is that if they put their firewall behind our directly connected to their testers if the firewall creates a site to site VPN would our network be isolated since everything is behind the VPN tunnel back to their location?  Any guidance would be appreciated I am not a network engineer.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Fred MarshallPrincipalCommented:
Diagrams help so I will try:
ISP <> Your Firewall <> Your network <> Their Firewall <> Their equipment.
There is NO network connection between "their equipment" and "your equipment" that could conceivably have any network interconnect, correct?

Your idea for a separate ISP connection for their equipment is wise.  

I don't see quite what a VPN will do as it's just a fancy "connection" after all.  That the traffic is encrypted does nothing for *me* ! (or for you).
And, it's not clear where it would be connected on your side is it?
I suppose you might be able to set up a DMZ on your firewall for their firewall and equipment.  That could work I believe.

Otherwise, you're going to have their traffic on your LAN.  Rather than worrying about how to make that secure, your idea of keeping it separate is zero work for you in contrast to more work and more worry.  
And, do you want to be responsible for *their* internet connection.  Who do you think they will call when it fails?

I hope this helps.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
atlas_shudderedSr. Network EngineerCommented:
If they are tunneled from their firewall external interface all the way to their office, then yes, your site remains sanitary.  To go a step further on this, I would create a segregated vlan on the switch connecting their firewall to yours, unless you are connecting firewall to firewall direct.

The traffic being tunneled means that you can't see them.  It also means that they can't magically talk outside that stream hosts not on one end of that tunnel or the other.  ergo, no cross contamination.

The reason I point out the segregated vlan is to isolate all traffic from their firewall out so that, in the event someone on their side gets creative, they can't punch holes in their firewall rules, outside of the VPN, and begin dumping non-tunneled traffic onto your LAN.
I agree that a VPN isn't really a solution for your situation.  As long as their computers have the ability to get to the internet and to your network without using the VPN, you're really not protected.

I also agree that the separate internet connection is the simplest and "cleanest" solution, though it includes the monthly expense.  You can come close to that if your firewall/router supports the ability to isolate one of the LAN ports to allow traffic only between itself and the WAN port.  If your firewall/router does its job correctly, that will isolate your client's traffic from your network.

What are you using for a firewall or router?  If it supports VLANs, you very well may be able to do what I'm suggesting.  Take Fred's comments seriously, though.  Do you really want to be their internet administrator, especially if you're doing something slightly out of the ordinary with an isolated VLAN?  While it's not that complicated, it is another complication that you'll have to manage.

Another thought that comes to mind is to see if you can get a second static IP address from your ISP and connect their firewall to it.  There may be an additional cost to an extra IP address, but it should be much less than another internet connection.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

atlas_shudderedSr. Network EngineerCommented:
Again, if the VPN is site to site from their on premise firewall to their office firewall, the traffic will be transmitted over a secured tunnel that can't be magically punch out of to infect or interact with your network.  Your firewall acts only as an intermediate routing device with filtering, so you'd have to set up a rule to permit the site to site VPN traffic to pass.  Potentially a NAT depending on the IP situation.

Putting in an second internet circuit means just one more item you have on premise and potentially one more item you have to assist in troubleshooting.  At the very least, I am going to guess that it would be you or someone in your organization that is going to have to babysit the installation tech and any future premise techs sent out for changes or repairs.

The VPN, is the easier route to go.  It is also secure for you against, especially if you set up a segregated vlan between your firewall and theirs.  Going that route is all logic, no physical.  I don't see how it gets simpler.

One more point that I'll make in regards to this.  This is a very common practice.  With my current employer we do this with around 150 customers.  The simple question for us is whether we trust the customer and if we don't trust them with the site to site, then the next question is why do we trust their equipment on premise to begin with.

Keep it simple.
Kissel-BAuthor Commented:
We have a fortigate 60e which has Vlan capability.  We have 5 IP's from our ISP.  The client is trustworthy but these testers have no AV/Malware protection most of the operating systems are end of life and probably not been patched in years but they have to be that way to to interfere with the test software or change the configuration in anyway.  With all those factors and the current state of exploits the safest bet and what we do with our own testers they are completely and never go on the network but I can't control what the client wants to do with their equipment.  I can only make recommendations to the owner of the company he gets the final say.  I just want to make sure if he decides to let them use our wan connection that I do everything in my power to mitigate any risks to our network. A second line is there way I would prefer if not I want make sure all avenues are considered.
Fred MarshallPrincipalCommented:
atlas_shuddered suggests doing something that wasn't clear in your description of the "VPN" setup.  That's why I mentioned it earlier.

I understand the approach to a point.  More importantly, you have to understand it.

The tunnel needs to work THROUGH your firewall.  So you would likely have to do something like open some ports to allow that to happen.  Maybe it's easy and maybe it takes some manual settings; depends on your firewall.
Since you're not a network engineer then maybe this isn't your most favored approach.
Someone else might comment.

There is *no* reason for them to not like a separate ISP connection.  Of course, someone would have to pay for it on a monthly basis.
Fred MarshallPrincipalCommented:
No response.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.