Network_netZones
A zone is a logical grouping of one or more interfaces designed to make management, such as the definition and application of Access Rules, a simpler and more intuitive process than following strict physical interface scheme. Zone-based security is a powerful and flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.
A network security zone is simply a logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.
For more information on configuring interfaces, see Network > Interfaces.
SonicOS Enhanced zones allows you to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.
Zones also allow full exposure of the NAT table to allow the administrator control over the traffic across the interfaces by controlling the source and destination addresses as traffic crosses from one zone to another. This means that NAT can be applied internally, or across VPN tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone.
An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building. This building has one or more exits, which can be thought of as the WAN interfaces. The rooms within the building have one or more doors, which can be thought of as interfaces. These rooms can be thought of as zones inside each room are a number of people. The people are categorized and assigned to separate rooms within the building. People in each room going to another room or leaving the building, must talk to a doorperson on the way out of each room. This doorperson is the inter-zone/intra-zone security policy, and the doorperson’s job to consult a list and make sure that the person is allowed to go to the other room, or to leave the building. If the person is allowed (i.e. the security policy lets them), they can leave the room via the door (the interface).
Upon entering the hallway, the person needs to consult with the hallway monitor to find out where the room is, or where the door out of the building is located. This hallway monitor provides the routing process because the monitor knows where all the rooms are located, and how to get in and out of the building. The monitor also knows the addresses of any of the remote offices, which can be considered the VPNs. If the building has more than one entrance/exit (WAN interfaces), the hallway monitor can direct people to use the secondary entrance/exit, depending upon how they’ve been told to do so (i.e. only in an emergency, or to distribute the traffic in and out of the entrance/exits). This function can be thought of as WAN Load Balancing.
There are times that the rooms inside the building have more than one door, and times when there are groups of people in the room who are not familiar with one another. In this example, one group of people uses only one door, and another group uses the other door, even though groups are all in the same room. Because they also do not recognize each other, in order to speak with someone in another group, the users must ask the doorperson (the security policy) to point out which person in the other group is the one with whom they wish to speak. The doorperson has the option to not let one group of people talk to the other groups in the room. This is an example of when zones have more than one interface bound to them, and when intra-zone traffic is not allowed.
Sometimes, people will wish to visit remote offices, and people may arrive from remote offices to visit people in specific rooms in the building. These are the VPN tunnels. The hallway and doorway monitors check to see if this is allowed or not, and allow traffic through. The doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy.
The predefined zones on your the SonicWALL security appliance depend on the device.The predefined security zones on the SonicWALL security appliance are not modifiable and are defined as follows:
• WAN: This zone can consist of either one or two interfaces. If you’re using the security appliance’s WAN failover capability, you need to add the second Internet interface to the WAN zone.
• LAN: This zone can consist of one to five interfaces, depending on your network design. Even though each interface will have a different network subnet attached to it, when grouped together they can be managed as a single entity. This zone supports guest service configurations.
• DMZ: This zone is normally used for publicly accessible servers. This zone can consist of one to four interfaces, depending on you network design. This zone supports guest service configurations.
• VPN: This virtual zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical interface.
• MULTICAST: This zone provides support for IP multicasting, which is a method for sending IN packets from a single source simultaneously to multiple hosts.
• WLAN: This zone provides support to SonicWALL SonicPoints. When assigned to the Opt port, it enforces SonicPoint Enforcement, automatically dropping all packets received from non-SonicPoint devices. The WLAN zone supports SonicPoint Discovery Protocol (SDP) to automatically poll for and identify attached SonicPoints. It also supports SonicWALL Simple Provisioning Protocol to configure SonicPoints using profiles.
On a SonicWALL TZ Wireless appliance the W0 interface is assigned to the WLAN zone. The WLAN zone works with the built-in 802.11b/g antennas when assigned to the WLAN interface, and does not enforce SonicPoint Enforcement, SDP, or SSPP.
Where Guest Services are supported, either wired or wireless devices Guest login is supported.
Note Even though you may group interfaces together into one security zone, this does not preclude you from addressing a single interface within the zone.
Each zone has a security type, which defines the level of trust given to that zone. There are five security types:
• Trusted: Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
• Encrypted: Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
• Wireless: Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
• Public: A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
• Untrusted: The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
The Allow Interface Trust setting in the Add Zone window automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
Enabling SonicWALL Security Services on Zones
You can enable SonicWALL Security Services for traffic across zones. For example, you can enable SonicWALL Intrusion Prevention Service for incoming and outgoing traffic on the WLAN zone to add more security for internal network traffic. You can enable the following SonicWALL Security Services on zones:
• Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
• Enforce Client Anti-Virus Service - Enforces anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
• Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones.
• Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
• Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
• Create Group VPN - Creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN > Settings page.
The Zone Settings table displays a listing of all the SonicWALL security appliance default predefined zones as well as any zones you create. The table displays the following status information about each zone configuration:
• Name: Lists the name of the zone. The predefined LAN, WAN, WLAN, VPN, and Encrypted zone names cannot be changed.
• Security Type: Displays the security type: Trusted, Untrusted, Public, Wireless, or Encrypted.
• Member Interfaces: Displays the interfaces that are members of the zone.
• Interface Trust: A check mark indicates the Allow Interface Trust setting is enabled for the zone.
• Content Filtering: A check mark indicates SonicWALL Content Filtering Service is enabled for traffic coming in and going out of the zone.
• Client Anti-Virus: A check mark indicates SonicWALL Client Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWALL Client Anti-Virus manages an anti-virus client application on all clients on the zone.
• Gateway Anti-Virus: A check mark indicates SonicWALL Gateway Anti-Virus is enabled for traffic coming in and going out of the zone. SonicWALL Gateway Anti-Virus manages the anti-virus service on the SonicWALL appliance.
• Anti-Spyware Service - A check mark indicates SonicWALL Anti-Spyware detection and prevention is enabled for traffic through interfaces in the zone.
• IPS: A check mark indicates SonicWALL Intrusion Prevention Service is enabled for traffic coming in and going out of the zone.
• Configure: Clicking the icon displays the Edit Zone window. Clicking the delete icon deletes the zone. The delete icon is dimmed for the predefined zones. You cannot delete these zones.
To add a new zone, click Add under the Zone Settings table. The Add Zone window is displayed.
Step 1 Type a name for the new zone in the Name field.
Step 2 Select a security type Trusted, Public or Wireless from the Security Type menu. Use Trusted for zones that you want to assign the highest level of trust, such as internal LAN segments. Use Public for zones with a lower level of trust requirements, such as a DMZ interface. Use Wireless for the WLAN interface.
Step 3 If you want to allow intra-zone communications, select Allow Interface Trust. If not, select the Allow Interface Trust checkbox.
Step 4 Select any of the SonicWALL Security Services you want to enforce on the zone. You can select:
– SonicWALL Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones. To apply a Content Filtering Service (CFS) policy to the zone, select the policy from the CFS Policy pull-down menu.
– SonicWALL Enforce Client Anti-Virus Service - Enforces Client Anti-Virus protection on multiple interfaces in the same Trusted, Public or WLAN zones, using the SonicWALL Client Anti-Virus client on your network hosts.
– Enable Gateway Anti-Virus Service - Enforces gateway anti-virus protection on your SonicWALL security appliance for all clients connecting to this zone. SonicWALL Gateway Anti-Virus manages the anti-virus service on the SonicWALL appliance.
– SonicWALL Intrusion Protection Service (IPS) - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
– Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
– Create Group VPN - Automatically creates a SonicWALL GroupVPN Policy for this zone. You can customize the GroupVPN Policy in the VPN > Settings page.
Caution Unsetting the Create Group VPN checkbox will remove any corresponding GroupVPN policy.
– Enable SSL Control - Enables SSL Control on the zone. All new SSL connections initiated from that zone will now be subject to inspection. Note that SSL Control must first be enabled globally on the Firewall > SSL Control page. For more information, see Firewall Settings > SSL Control.
Step 5 Click OK. The new zone is now added to the SonicWALL security appliance.
You can delete a user-created zone by clicking the delete icon in the Configure column. The Delete icon is unavailable for the predefined zones. You cannot delete these zones. Any zones that you create can be deleted.
Configuring a Zone for Guest Access
SonicWALL User Guest Services provides network administrators with an easy solution for creating wired and wireless guest passes and/or locked-down Internet-only network access for visitors or untrusted network nodes. This functionality can be extended to wireless or wired users on the WLAN, LAN, DMZ, or public/semi-public zone of your choice.
To configure Guest Services feature:
Step 1 Navigate to the Network > Zones page in the SonicOS management interface.
Step 2 Under the Configure column, click the pencil icon button for the zone where you wish to add Guest Services. The Edit Zone menu comes up.
Step 3 Click the Guest Services tab.
Step 4 Choose from the following configuration options for Guest Services:
– Enable Guest Services - Enables guest services on the WLAN zone.
– Enable inter-guest communication - Allows guests to communicate directly with other users who are connected to this zone.
– Bypass AV Check for Guests - Allows guest traffic to bypass Anti-Virus protection.
– Enable External Guest Authentication - Requires guests connecting from the device or network you select to authenticate before gaining access. This feature, based on Lightweight Hotspot Messaging (LHM) is used for authenticating Hotspot users and providing them parametrically bound network access.
Note Refer to the SonicWALL Lightweight Hotspot Messaging Tech Note available at the SonicWALL documentation Web site http://www.sonicwall.com/us/Support.html for complete configuration of the Enable External Guest Authentication feature.
– Custom Authentication Page - Redirects users to a custom authentication page when they first connect to the network. Click Configure to set up the custom authentication page. Enter either a URL to an authentication page or a custom challenge statement in the text field, and click OK.
– Post Authentication Page - Directs users to the page you specify immediately after successful authentication. Enter a URL for the post-authentication page in the field.
– Bypass Guest Authentication - Allows the Guest Services feature to integrate into environments already using some form of user-level authentication. This feature automates the authentication process, allowing wireless users to reach Guest Services resources without requiring authentication. This feature should only be used when unrestricted Guest Service access is desired, or when another device upstream is enforcing authentication.
– Redirect SMTP traffic to - Redirects SMTP traffic incoming on this zone to an SMTP server you specify. Select the address object to redirect traffic to.
– Deny Networks - Blocks traffic to the networks you name. Select the subnet, address group, or IP address to block traffic to.
– Pass Networks - Allows traffic through the Guest Service-enabled zone to the networks you select.
– Max Guests - Specifies the maximum number of guest users allowed to connect to this zone. The default setting is 10.
Special Guest Services Features for Wireless Zones
– Enable Dynamic Address Translation (DAT) - Guest Services provides spur of the moment “hotspot” access to wireless-capable guests and visitors. For easy connectivity, Guest Services allows wireless users to authenticate and associate, obtain IP settings, and authenticate using any Web-browser. Without DAT, if a guest user is not a DHCP client, but instead has static IP settings incompatible with the Wireless WLAN network settings, network connectivity is prevented until the user’s settings change to compatible values. Dynamic Address Translation (DAT) is a form of Network Address Translation (NAT) that allows the system to support any IP addressing scheme for guest users. For example, the Wireless WLAN interface is configured with its default address of 172.16.31.1, and one guest client has a static IP address of 192.168.0.10 and a default gateway of 192.168.0.1, while another has a static IP address of 10.1.1.10 and a gateway of 10.1.1.1, and DAT enables network communication for both of these clients.
Step 5 Click OK to apply these settings to this zone.
Step 1 Click the Edit icon for the WLAN zone. The Edit Zone window is displayed.
Step 2 In the General tab, select the Allow Interface Trust setting to automate the creation of Access Rules to allow traffic to flow between the interfaces of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.
Step 3 Select any of the following settings to enable the SonicWALL Security Services on the WLAN zone:
– Enforce Content Filtering Service - Enforces content filtering on multiple interfaces in the same Trusted, Public and WLAN zones.
– Enforce Client Anti-Virus Service - Enforces managed anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWALL Client Anti-Virus manages an anti-virus client application on all clients on the zone.
– Enable Gateway Anti-Virus - Enforces gateway anti-virus protection on multiple interfaces in the same Trusted, Public or WLAN zones. SonicWALL Gateway Anti-Virus manages the anti-virus service on the SonicWALL appliance.
– Enable IPS - Enforces intrusion detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
– Enable Anti-Spyware Service - Enforces anti-spyware detection and prevention on multiple interfaces in the same Trusted, Public or WLAN zones.
– Create Group VPN - creates a GroupVPN policy for the zone, which is displayed in the VPN Policies table on the VPN > Settings page. You can customize the GroupVPN policy on the VPN > Settings page. If you uncheck Create Group VPN, the GroupVPN policy is removed from the VPN > Settings page.
Step 4 Click the Wireless tab.
Step 5 In the Wireless Settings section, check Only allow traffic generated by a SonicPoint to allow only traffic from SonicWALL SonicPoints to enter the WLAN zone interface. This allows maximum security of your WLAN. Uncheck this option if you want to allow any traffic on your WLAN zone regardless of whether or not it is from a wireless connection.
Tip Uncheck Only allow traffic generated by a SonicPoint and use the zone on a wired interface to allow guest services on that interface.
Step 6 Select SSL VPN Enforcement to require that all traffic that enters into the WLAN zone be authenticated through a SonicWALL SSL VPN appliance.
Step 7 In the SSL VPN Server list, select an address object to direct traffic to the SonicWALL SSL VPN appliance. You can select:
– Create new address object...
– Default Gateway
– Secondary Default Gateway
– X0 IP
– X1 IP
– X2 IP
– X3 IP
– X4 IP
– X5 IP
Step 8 In the SSL VPN Service list, select the service or group of services you want to allow for clients authenticated through the SSL VPN.
Step 9 Under the SonicPoint Settings heading, select the SonicPoint Provisioning Profile you want to apply to all SonicPoints connected to this zone. Whenever a SonicPoint connects to this zone, it will automatically be provisioned by the settings in the SonicPoint Provisioning Profile, unless you have individually configured it with different settings.
Step 10 Select Only allow traffic generated by a SonicPoint to block non-SonicPoint wireless traffic.
Note For Guest Services configuration information, see the Configuring a Zone for Guest Access.
Step 11 Click OK to apply these settings to the WLAN zone.