Question 1: Summarise the configuration of the three legged firewall in simple words. Also use a...

i.Firewall Migration:

The Eight steps of the successful firewall migrations are:

1. Learn the new technology

2. Review current firewall configuration

3. Configuration translation simulation

4. Acceptance tests

5. Declare frozen zone

6. Configuration translation

7. Migration

8. Monitoring phase

1. Learn the new technology

You don’t want to replace your old, loved firewall with a black box you’ve no idea how to use, right? Or even worse, you do not want to conduct experiments on the production environment, trying to nail down an issue disrupting the traffic.

To avoid all this, everyone involved in the firewall administration has to go under a training plan, familiarize with the new technology, get to know the features, learn how to configure them and how to do troubleshooting.

The best way is to follow a vendor training, or ask your system integrator/consultant for a custom-made training that fits the requirements of your network and team.

2. Review current firewall configuration

I almost never saw a firewall configuration that didn’t bloat over time.
The daily activities are done in a way so that more and more rules are added to the rule base, old services are never removed, and often over-permitting policies are allowing more traffic than they should. You don’t want to change firewall and configuration in one go: that’s recipe for a disaster.Remember to always change one element at a time so that you know how to get back.

3. Configuration translation simulation:

The configuration of your current firewall needs to be rewritten using the syntax of the new one, right?

How much time will that take? Do you need automated tools? How reliable are they?

It’s better to find all this out in an early stage of your migration project.

So, I recommend to plan some time to test the migration of the configuration

4. Acceptance Tests:

Do you remember what you’ve learn in step one?

The idea here is to test that the basic setup is working fine and that the configuration just created is working.

I normally write an Acceptance Test Plan (APT) that is just a simple list of tests with the expected result.

The main focus is on High Availability (HA) test cases: What happen if a link fails? What if the whole box dies? What if…? Get creative.

The same applies for other aspects that can be tested, but realistically not everything can be tested now; otherwise it would be too simple!

Test as much as you can, and report back in the APT document what’s OK and what’s KO.

5. Declare frozen zone:

At step three we figured out how long the config migration will take.

Now it’s time to declare a frozen zone that is a period of time where any change in the current firewall configuration, such as new policies, or change of existing objects, are avoided or at least tracked very carefully.

This is to avoid that, while preparing the new configuration, new changes are done on the current firewall and lost in… translation.

At the beginning of the frozen zone, a copy of the current firewall config will be taken for the next phase.

6. Configuration translation:

In this phase, you repeat what worked in the previous simulation, but pay 3x more attention to every step.

This is the more critical part of the whole project because, if the new configuration is done properly, the migration itself will be smooth!

This is also a good time to plan and write down a roll-back procedure.

Imagine this: things turn awful during the migration, the maintenance window runs out of time, you’re dead tired and you have a headache.

But, you still have to roll-back to the previous firewall and make sure everything is working!

So, make sure you have a written procedure you’re comfortable with.

7. Migration:

I don’t need to tell you this has to be done in a maintenance window, right?

Just pay attention that not all the networks have the lowest utilization at the same time; sometimes it is during weekends, sometimes it is at night, sometimes it is just after office closure.

Anyway, a good suggestion especially when working in small enterprises, is not to announce the firewall migration to users.

If you have to inform them, just mention some network maintenance but avoid the word “firewall”.

This is because the typical user associates the firewall with that annoying software in his/her PC that pops up asking to click something to continue.

For any problem they’ll get the morning after, they’ll blame the firewall, so ignorance is bliss… at least for them!

Who really needs to know about the migration is the application team.

Folks responsible for the services (e-mail, web, database, etc.) must test that everything is okay.

My best advice is to ask them to test the applications before and after the firewall migration.

This is because I ran into a funny situation when after a migration I was told that an FTP server, decommissioned two years before was not reachable…

Let them check before the migration too; are the services okay?

8. Monitoring phase:

If you still remember the beginning of this article, I said there are always some problems that you’ll have to take care after a migration.

So, it’s crucial to plan a monitoring phase with the technical staff alerted and ready to fix any issue.

For mid-sized enterprises, this may require to structure a post-migration support in order to avoid the poor FW administrator getting stuck on the phone instead of working on fixing issues.

I recommend having someone receiving the support requests, filtering them, and ordering them by priority.

This is particularly important, as the NTP server is normally not as critical as the E-mail server, and you want to focus on the important things.

When does the monitoring phase start?

Well, I would say that starts from the moment the new firewall is receiving traffic.

The crucial moment is the end of the maintenance window; are the critical services up and running?

====================================================================================

i.What are the steps involved for configuring site to site Virtual Private Networks (VPNs)?

Applicable Devices are RV132W and RV134W.

Step 1. Log in to the web-based utility and choose VPN > Site-to-Site IPSec VPN > Basic VPN Setup.

Step 2. In the New Connection Name field, enter a name for the VPN tunnel. The name can contain letters, numbers and hyphens only.

Step 3. In the Pre-Shared Key field, enter the pre-shared key or password, which will be exchanged between the two routers. The password must be between 8 and 49 characters.

Step 4. In the Protocol drop-down list, choose the protocol name. The options are:

• ESP — Encapsulating Security Payload (ESP) protocol provides origin authenticity, integrity, and confidentiality protection of packets.
• AH — Authentication Header (AH) protocol authenticates the origin of datagrams and guarantees the integrity of the data.

Step 5. Choose the Remote Endpoint from the drop-down menu. The options are:

• IP Address — This option will identify the router which your device will connect to with its IP address.
• FQDN —Fully Qualified Domain Name (FQDN) will identify the router which your device will connect to with its domain name.

Step 6. Enter the remote WAN (Internet) IP address or FQDN in the Remote WAN (Internet) IP Address field.

Step 7. Verify that the source IP address in the Local WAN (Internet) IP Address field is correct. This is generated automatically.

Step 8. Enter the private network (LAN) IP address of the remote endpoint in the Remote LAN (Local Network)IP Address field. This is the IP address of the internal network at the remote site.

Step 9. Verify the private network (LAN) subnet mask of the remote endpoint in the Remote LAN (Internet) Subnet Mask field. This is generated automatically.

Step 10. Enter the private network (LAN) IP address of the local network in the Local LAN (Local Network)IP Address field. This is the IP address of the internal network on the device.

Step 11. Verify the private network (LAN) subnet mask of the local endpoint in the Local LAN (Local Network) Subnet Mask field. This is generated automatically.

Step 12. Click Save.

======================================================================================

iii.What are the two (2) components required to configure remote access VPN?

There are two components required in a remote-access VPN. The first is a network access server (NAS, usually pronounced "nazz" conversationally), also called a media gateway or a remote-access server (RAS). A NAS might be a dedicated server, or it might be one of multiple software applications running on a shared server. It's a NAS that a user connects to from the internet in order to use a VPN. The NAS requires that user to provide valid credentials to sign in to the VPN. To authenticate the user's credentials, the NAS uses either its own authentication process or a separate authentication server running on the network.

The second required component of remote-access VPNs is client software. In other words, employees who want to use the VPN from their computers require software on those computers that can establish and maintain a connection to the VPN. Most operating systems today have built-in software that can connect to remote-access VPNs, though some VPNs might require users to install a specific application instead. The client software sets up the tunneled connection to a NAS, which the user indicates by its internet address. The software also manages the encryption required to keep the connection secure.

===================================================================================

iv.What might be the reason for setup of VPN Tunnel? Write your response in 50-100 words.

A VPN tunnel adds privacy and security:

A VPN tunnel (often simply referred to as a VPN, or virtual private network) is an encrypted connection between your computer or mobile device and the wider internet. Since your connection is encrypted, nobody along the VPN tunnel is able to intercept, monitor, or alter your communications.

A VPN tunnel hides your location:

A VPN tunnel not only protects you from data being intercepted, but it also hides your IP address, which can otherwise be used to identify you when you are browsing the web. Instead of your real location, the sites you visit will only see the location of the VPN server you are connected to.

A VPN for business:

When a business experiences enough success to expand, it is time to create a VPN tunnel. It will be essential to create a private data network between the different satellite offices being set up. VPN tunneling is the technology your business needs, so team members in all locations can securely access your central network.

Offices in Different Locations:

A VPN tunnel is a convenient and affordable connection between offices in different places from your company’s main branch. Each of your locations would have their own network, and through the VPN, there would be a secure line of communication enabling employees to share and discuss relevant data regarding your business safely.