AD network under a SonicWall needs specialized security

[Greg Kristy]

I"ll keep it short and sweet:
Engineering firm, ~10 users, some of them are programmers and they have a server with special software for versioning and collaborating on code.

I overhauled their Windows Domain system for them. Installed a SonicWall, Set up VPN access for up to 10 remote users via SonicWall. Installed some servers. Things went more or less smoothly and they like me a lot.


Now they have a new client they will collaborating with. These will be remote users, logging in via SonicWall VPN. I'm setting up a server/NAS just for them. They MUST NOT be able to see anything else in the network. In fact, it could lead to a law suit. When I brought up cloud, the owner didn't even let me finish the sentence.

What would you guys recommend I do here? So far i'm considering the following two options:

1. Use Active Directory and NTFS permissions to control access and visibility. AD will be the one central hub that keeps things separate. I would create a special group for the remote users. Their AD accounts will be members of that group.
2. Instead, have the isolation happen at the SonicWall. Create a VLAN or separate subnet. When creating a VPN user account, normally I add them to the group "LAN Subnets". These external users will instead be added to a special group associated with the VLAN

This is just a tad bit outside of my skillset, and this is 100% my client so I can't escalate or anything. Would luuuuuv any advice, thank you.

 

[NETWizz]

I"ll keep it short and sweet:
Engineering firm, ~10 users, some of them are programmers and they have a server with special software for versioning and collaborating on code.

I overhauled their Windows Domain system for them. Installed a SonicWall, Set up VPN access for up to 10 remote users via SonicWall. Installed some servers. Things went more or less smoothly and they like me a lot.


Now they have a new client they will collaborating with. These will be remote users, logging in via SonicWall VPN. I'm setting up a server/NAS just for them. They MUST NOT be able to see anything else in the network. In fact, it could lead to a law suit. When I brought up cloud, the owner didn't even let me finish the sentence.

What would you guys recommend I do here? So far i'm considering the following two options:

1. Use Active Directory and NTFS permissions to control access and visibility. AD will be the one central hub that keeps things separate. I would create a special group for the remote users. Their AD accounts will be members of that group.
2. Instead, have the isolation happen at the SonicWall. Create a VLAN or separate subnet. When creating a VPN user account, normally I add them to the group "LAN Subnets". These external users will instead be added to a special group associated with the VLAN

This is just a tad bit outside of my skillset, and this is 100% my client so I can't escalate or anything. Would luuuuuv any advice, thank you.

You want option #3, a separate/completely independent firewall zone. Essentially this creates two inside or trusted networks, but they do not trust each other. Yes, it is normal to have more than two firewall zones.

Now, here is where it gets fun, if you use a new interface, just leave the VLAN info blank; since, by default it will be an access port on whatever VLAN the port is on (presumably the default VLAN) not that it really matters because either way, it will transmit and receive Ethernet frames that do NOT have an 802.1q tag. You would create a new subnet and put an IP from that subnet on the interface in that zone, and let it serve as the Gateway... connect it to its own switch, and you are essentially done after setting up VPN to the proper firewall zone(s).

Now, let's say you are limited in that they have a very cheap firewall and do not have extra interfaces and/or do not want to buy another switch.. In that case, find out what VLAN the firewall is currently operating on (probably VLAN 1) and configure the existing port to use 802.1q then the uplink of the current switch to be a Trunk Port allowing that VLAN. Now create a sub-interface (presuming SonicWall allows this; I would think it would), and enable this as an 802.1q port as well but in a different VLAN... Put your other Gateway IP on this sub interface, and ensure this sub-interface is in the other Trusted or Inside zone. Now on the connected switch, create the other 802.1q VLAN and add it as an allowed VLAN on the trunk facing the firewall.

Obviously, each subnet will belong to a separate interface or sub-interface in its own private zone, and the Firewall being Layer-3 can do any routing as necessary for directly connected networks. if you look at the firewall's virtual router, you would probably see something equivalent to an IP Route pointing to the subnet ID via the VLAN as the next hop... (it knows what interfaces are on each VLAN already).

On your Layer-2 Switch, the only other thing left to do is configure the ports computers, printers, servers, NAS devices etc. connect to. Essentially, these would be configured as Access Ports (NOT trunk ports), and they would be made a member of whichever of the two VLANs you have on the switch. The Layer-2 switch doing no routing would NOT strip the VLANS and route between them (besides even if it was Layer-3 it would not be able to do any routing being you had no Layer-3 VLAN interfaces configured; hence, it would have an empty routing table). Essentially, these would both be private and any computers, servers, etc. would see only their firewall port and have communication through only via the Firewall's virtual router and ruleset.

 

[YeOldeStonecat]

Since it's a client (outside people), not a full time businesses they're merging with, why take on permanent expensive steps to change up their network?
Likely this client exists outside of their building.
Engineering firms typically work with large files.

Put them onto a secure file sharing/sync program. Something like Datto Drive (free for the first year, unlimited users), or Autotasks file sync/share product (formerly Soonr)

That way you only sync the directories on the server you want, and they cannot access the rest.
And uploading or downloading large files is much smoother than via a clunky VPN.
Keeps them contained only in the folders you're syncing with them.

 

[TAPtech]

Put them onto a secure file sharing/sync program. Something like Datto Drive (free for the first year, unlimited users), or Autotasks file sync/share product (formerly Soonr).

That makes sense to me too, but it seems like this client is one of those "cloud deniers" which I often run into as well. They claim that either the cloud does not exist at all, or that it popped into existence due to natural affects and humans did not contribute to it. Whatever.

I think creating another VPN user group, and another LAN Subnet would be a good idea. If they have a server already or any form of virtualization, might be least expensive to fire up a temporary FreeNAS as a VM and VLAN it over there... Then when the project is done they can put the files into their regular archive.

For the small engineering group I work with, we use a Synology and it works really well. Can do the "Share" link, give companies portal access... etc. We need a local file server for speed as we work with large files.

 

[YeOldeStonecat]

That makes sense to me too, but it seems like this client is one of those "cloud deniers" which I often run into as well. They claim that either the cloud does not exist at all, or that it popped into existence due to natural affects and humans did not contribute to it. Whatever..

Sometimes they just don't know what it is.
Present with it's low cost, ease of maintenance (versus constant support of VPN clients), ease and efficiency of use, and its inherit security to isolate them from the rest of your stuff.

 

[TurricanII]

Depending on scale and budget, simple solution is option 2 - create a another network on a spare Sonicwall port if they have a spare/DMZ port. Then make sure the firewall rules allow only the necessary access (your client must access the NAS I presume but not vice versa). In no way would I grant the other company access to the production LAN. NTFS and share permissions are all well and good but it is so easy for someone to share a folder with the default Everyone/Full Control. Not worth the risk. If your client wants the data/files to be processed in their office then maybe a Remote Desktop server aka Terminal Server would be appropriate, or even just a couple of dedicated Windows PC's accessed via RDP.

I'd also want to limit this partner company's VPN user access to just their office IP address if at all possible. I'd look at whether configuring a small hardware IPSEC VPN endpoint with proper site to site VPN and access control rules to be installed at the partner company would be better suited, rather than giving out VPN usernames and passwords to people.

 

[NETWizz]

That makes sense to me too, but it seems like this client is one of those "cloud deniers" which I often run into as well. They claim that either the cloud does not exist at all, or that it popped into existence due to natural affects and humans did not contribute to it. Whatever.

I think creating another VPN user group, and another LAN Subnet would be a good idea. If they have a server already or any form of virtualization, might be least expensive to fire up a temporary FreeNAS as a VM and VLAN it over there... Then when the project is done they can put the files into their regular archive.

For the small engineering group I work with, we use a Synology and it works really well. Can do the "Share" link, give companies portal access... etc. We need a local file server for speed as we work with large files.

Sure, but it is NOT the subnet that makes it private being by default routing will take place. Additionally, VLANs on Layer-3 devices do not add privacy because the VLAN tags get stripped off when routing occurs... and the packets get placed on a new Layer-2 network at the final destination tagged whatever VLAN the Layer-3 Interface on that subnet is on.

 

[YeOldeStonecat]

Another option, purchase a NAS just for this project, Pop open the web ports for remote web access to the directories, put ACLs on the firewall allowing access only from clients office IP(s). Can increase smoothness by running a sync client on the clients side, or even setting up another NAS there and having them replicate to each other (like a long distance DFS).

What I would consider important to my client (and them to their client)...is the smoothness and ease of operation working with these large files. As typiucally engineering firms work with very...very .large files. I'm not talking 5 or 20 or 50 megs...I'm talking hundreds of megs for just 1 file, even more..depending on what it is they're using. For your clients client to VPN in and download a file to work on it..and then upload it....you're limited to the whatever bandwidth is available on the UPLOAD of each clients site. Likely less than 20 meg, probably under 10..on each side. Add VPN overhead...you've got time to go roast the beans, grind 'em, and brew a cup of coffee....while downloading or uploading a file to work on.

Trust me when I say the way they often work, those guys don't have a lot of patience. They often need something NOW to open up and print it on the plotter and go run out with it to hand to the crew to go work on. We have a client that is one of the larger construction firms around that builds public works buildings for cities. Their office is near ours, and for the past year or more they've partnered with another company up in our state capitol..they have a co-lo branch office up there near that huge construction site. They need to get drawings back 'n forth, we use Datto Drive to sync two folders between servers at each end. Securely, with granular permissions control. And there's no way the other companies guys can get anywhere else on the server...only what's sync'd within those folders. So performance wise, the file is always opened and saved "locally"..so it's fast. Soon as it's changed and saved...it syncs to the other side behind the scenes quickly.

Keeps it "so dang easy"...oh yeah, and barely any cost at all.

 

[putz]

I know you said the owner didn't prefer cloud stuff, but maybe go over costs, etc vs doing it in house? I think the easier and probably cheaper solution is something cloud based like dropbox. Dropbox for business seems to be a fairly common app that people use or if you know of a similar alternative that you prefer, use that. Then just create an account, install the client on your server and have it sync the directory they need to access which contains the files. Then invite them into access that shared folder. That way anything you dump onto the folder gets synced to them, and they can edit and changes things directly on their PC and the changes update back your your server. Then just run backups on a regular interval to ensure that someone doesn't fubar something and you're gold. The scenario just seems too simple, I wouldn't try to over complicate it.

 

[fencepost]

If they're concerned with security at that level then something like SpiderOak or (as was suggested) a Datto or anything else that provides a "cloudlike" interface with all storage actually on an internal network.

 

[Markverhyden]

All of the above is great. But the OP has not specified what the actual scope is. What is being shared? What is being done? What is going on between the existing customer and their new external customer?

 

[trevm999]

Engineering firm, ~10 users, some of them are programmers and they have a server with special software for versioning and collaborating on code.

What's the software? My impression from the original post is that they don't just need to share/sync files, they need to share a database.

 

[Greg Kristy]

Thank you all!

So I ended up just diving into this. If only I realized i was getting notifications of these responses. But sometimes you have to learn things the hardway.

One of the first facts I came to realize is that there are SO many ways to do this. Incidentally, I concocted a strategy almost identical to

That makes sense to me too, but it seems like this client is one of those "cloud deniers" which I often run into as well. They claim that either the cloud does not exist at all, or that it popped into existence due to natural affects and humans did not contribute to it. Whatever.

I think creating another VPN user group, and another LAN Subnet would be a good idea.

It's just my practice to not bother directly arguing with scientists/engineers, especially about the cloud.

So I learned that they are using an opensource program that runs an Apache server inside of a LAN. When I would ask questions about the nature of the data being shared, I got clear signals that they don't even want to discuss it with me. Somethign in the realm of patent law I would imagine.

Maybe there were some errors in planning on my part here:
I recommended them to purchase a small Windows Server, and run it off of an extra interface port from the SonicWall, and to intentionally not join that server to their domain. And I was confident I could figure out a way to make the SonicWall do what was needed. I am STUCK.

I just ran a network cable from a free port on the SonicWall, X2, straight into the server. Let's say their main subnet was 192.168.168.x, Connecting to the X0 port.
I configured the X2 port to act as a new DHCP server and gateway, in the 192.168.169.0 range, let's say.
I did not create a VLAN.

By accessing the Firewall matrix, I succeeded in creating a secondary subnet that could not see the primary one. But, users within the primary one could access the secondary one.

So of course I had to test this externally, so I connect my laptop to my phones mobile hotspot, use a SonicWall Global VPN client to tunnel in. But no matter what I do, it just assigns me an IP address in the primary 192.168.168.x network.

....about 5 hours later....

I figured out how to default ALL VPN users to default into the secondary network. But I am unable to implement a group policy. I must have read 50 articles from the SonicWall website. Of course I won't bill them for all of this research, but I can't just redesign the whole system.

Anybody here ever use a SonicWall Global VPN ACL control successfully?

Thanks so much to everyone.

 

[NETWizz]

By default if you have a directly connected firewall to a layer-3 device, it will do routing and there will be access unless you did actually put them into a different firewall zone as recommended.

 

[TAPtech]

I'm not sure that you can assign different VPN users to different subnets, if that's what you're asking. You should now be able to assign rules between the subnets, as they'll need to communicate through the router (versus just a switch).

 

[Greg Kristy]

By default if you have a directly connected firewall to a layer-3 device, it will do routing and there will be access unless you did actually put them into a different firewall zone as recommended.

Not sure what you mean here? That if I create firewall zones and associate them with the user groups, it will solve my problem. I did that, though maybe in correctly.

I'm not sure that you can assign different VPN users to different subnets, if that's what you're asking. You should now be able to assign rules between the subnets, as they'll need to communicate through the router (versus just a switch).

Had that working within 2 minutes. Main network can ping anything in secondary network, but not vice versa.
There must be a way to say WAN via VPN ->default subnet -> who are you? ->external users are sent over to secondary subnet and assigned a new IP.

Thank you

 

[TAPtech]

I still don't quite understand. When you setup the VPN, you can assign them a separate dhcp server in whatever subnet you want. Is the issue that you want some VPN users in one subnet, and some in the other subnet?

 

[Greg Kristy]

I still don't quite understand. When you setup the VPN, you can assign them a separate dhcp server in whatever subnet you want. Is the issue that you want some VPN users in one subnet, and some in the other subnet?

Yes. Yes. Pleeeez.

 

[TAPtech]

I'm not sure if you can do that with a SonicWALL. Maybe you can configure the GlobalVPN client to go one way, and the SSL VPN client to go the other. I've never tried it though.

 

[NETWizz]

Not sure what you mean here? That if I create firewall zones and associate them with the user groups, it will solve my problem. I did that, though maybe in correctly.





Had that working within 2 minutes. Main network can ping anything in secondary network, but not vice versa.
There must be a way to say WAN via VPN ->default subnet -> who are you? ->external users are sent over to secondary subnet and assigned a new IP.

Thank you

Yes, you can control access between subnets with intrazone firewall rules if you like, but the default for intrazone traffic is to allow it where by default interzone traffic is blocked.

All I mean is that to create another subnet on a firewall, ultimately all you have to do is assign an IP address with subnet mask to an Interface, and that creates a "directly connected" subnet for which will will automatically do routing. Depending upon the firewall, it will probably show up in the default instance of the virtual router or default vrf.


All I am saying is if you have multiple interfaces in the same zone and you assign them IP addresses and subnet masks this creates different subnets for which the firewall will do routing and not block the traffic between them.