Link to home
Start Free TrialLog in
Avatar of Kissel-B
Kissel-B

asked on

Customer Firewall Behind Our Firewall

I have an issue which i am trying to figure out we are a small company and we have some customer automated test equipment on site which they want to remotely manage.  These testers are old they have to my knowledge no AV and some still run windows XP.  We have our own testers which run windows 7 but no AV or Malware protection and they absolute do not go on the network.  AV software interferes with the test software and windows updates are never done so not to change the config.  What I am suggesting is dropping another internet line to the building having their firewall connected directly to their equipment its completely isolated from our network no problem.  But I guess what they are suggesting is that if they put their firewall behind our directly connected to their testers if the firewall creates a site to site VPN would our network be isolated since everything is behind the VPN tunnel back to their location?  Any guidance would be appreciated I am not a network engineer.
ASKER CERTIFIED SOLUTION
Avatar of hypercube
hypercube
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image
If they are tunneled from their firewall external interface all the way to their office, then yes, your site remains sanitary.  To go a step further on this, I would create a segregated vlan on the switch connecting their firewall to yours, unless you are connecting firewall to firewall direct.

The traffic being tunneled means that you can't see them.  It also means that they can't magically talk outside that stream hosts not on one end of that tunnel or the other.  ergo, no cross contamination.

The reason I point out the segregated vlan is to isolate all traffic from their firewall out so that, in the event someone on their side gets creative, they can't punch holes in their firewall rules, outside of the VPN, and begin dumping non-tunneled traffic onto your LAN.
SOLUTION
Avatar of CompProbSolv
CompProbSolv
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Avatar of atlas_shuddered
atlas_shuddered
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kissel-B
Kissel-B

ASKER

We have a fortigate 60e which has Vlan capability.  We have 5 IP's from our ISP.  The client is trustworthy but these testers have no AV/Malware protection most of the operating systems are end of life and probably not been patched in years but they have to be that way to to interfere with the test software or change the configuration in anyway.  With all those factors and the current state of exploits the safest bet and what we do with our own testers they are completely and never go on the network but I can't control what the client wants to do with their equipment.  I can only make recommendations to the owner of the company he gets the final say.  I just want to make sure if he decides to let them use our wan connection that I do everything in my power to mitigate any risks to our network. A second line is there way I would prefer if not I want make sure all avenues are considered.
SOLUTION
Avatar of hypercube
hypercube
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of hypercube
hypercube
Flag of United States of America image
No response.