Security Zones [Dr.WoW] [No.4] Highlighted

Latest reply: Jun 4, 2016 01:21:45 7218 4 1 0

Thus far, we’ve examined the concepts behind firewalls as well as their developmental history, and I’ve also just introduced Huawei’s firewall products; I trust that everyone now has an elementary understanding of firewalls. Beginning with this section, I’ll detail firewall technologies and continue to explore the amazing world of firewalls.


1  Relationships Between Interfaces, Networks and Security Zones

As we mentioned in section 1 "What Are Firewalls?", firewalls are primarily deployed on network perimeters to help separate/segment them. The question then arises, how can firewalls recognize different networks?

To help answer this question, we’ve incorporated a very important concept for use with firewalls: the security zone, or ‘zone’ for short. A security zone is a combination of one or many interfaces. Firewalls use security zones to separate/segment networks, thus marking the "route" that packets can travel. Generally speaking, packets are only controlled when passing between two different security zones.

NOTE

Under default settings, packets are controlled when passing between different security zones, but are not controlled when they travel within a single security zone. However, Huawei’s firewalls also support control over packets traveling within the same security zone. The control mentioned here is implemented by "rules", also called "security policies", and we will introduce the specifics of these in  "Security Policies."

We all know that firewalls connect networks through interfaces; after interfaces are assigned to security zones, these interfaces can connect security zones to the network. Generally speaking, referring to any one security zone is the same as referring to the network connected to by the security zone’s interface. The relationships between interfaces, networks and security zones are shown in Figure 1-1.

CAUTION

On Huawei’s firewalls, any one interface can only be added to one security zone.

Figure 1-1 Relationships between interfaces, networks and security zones

550a1de6f3474.png

 

By assigning interfaces to different security zones, we can create different networks on a firewall. As shown in Figure 1-2, we’ve assigned Interface 1 and Interface 2 to Security Zone A, Interface 3 to Security Zone B, and Interface 4 to Security Zone C. In this way there are three security zones on the firewall, and three corresponding networks.

Figure 1-2 Assigning interfaces to security zones

550a1e1bca2e0.png

 

Huawei’s default setting for its firewalls is to provide three security zones. These are the Trust, DMZ and Untrust security zones. From these names alone it is apparent that these three security zones are rich in meaning, and I’ll delve deeper into this below.

  • The Trust Zone―the trustworthiness of this zone’s network is very high, and this is generally used to define the network on which internal users are located.
  • The DMZ Zone―the trustworthiness of this zone’s network is at an intermediate level, and this is generally used to define the network on which internal servers are located.
  • The Untrust Zone―this zone represents untrustworthy networks, and is generally defined as being the Internet and other unsafe networks.

NOTE

The demilitarized zone (DMZ) is a military term used to describe territory administered in a way that is ‘looser’ than the strict administration of districts under military control, but stricter than loosely administered public spaces. This term has been incorporated into firewall terminology to describe a security zone with a degree of trustworthiness intermediate to those of internal and external networks.

In scenarios where network traffic is relatively light and the network environment is simple, using the provided default security zones is enough to satisfy network segmentation needs. In Figure 1-3, Interface 1 and Interface 2 are connecting to internal users, and so we can assign these two interfaces to the Trust Zone; Interface 3 is connecting to internal servers, and so it can be assigned to the DMZ zone; Interface 4 is connecting to the Internet, and it can be assigned to the Untrust Zone. Of course, for network settings with more data traffic, we can create new security zones based upon need.

Figure 1-3 Assigning interfaces to default security zones

550a1ea6eacbc.png

 

Therefore, we can describe the route taken by packets through the firewall when users from different networks communicate with one another. For example, when users in internal networks access the Internet, the ‘route’ for packets through the firewall is from the Trust Zone to the Untrust Zone; when Internet users access internal servers, the route of packets through the firewall is from the Untrust Zone to the DMZ Zone.

In addition to packets passing between different networks, there are also packets sent from networks to the firewall itself (for example when we log into the firewall to configure it), as well as packets sent out by the firewall. How can the routes taken by these packets be identified on the firewall?

As shown in Figure 1-4, a Local Zone is provided on the firewall―this represents the firewall itself. Any packets actively sent out by the firewall can be deemed to have been sent from the Local Zone; any packets that need a response and handling (not including forwarding) from/by the firewall can be deemed to have been received by the Local Zone.

Figure 1-4 Local security zone

550a1ee64f42f.png

 

I’ll also add one reminder about the Local Zone: the Local Zone cannot add any interfaces, but all of the firewall’s interfaces are hidden in the Local Zone. This is to say that when packets pass through an interface towards a network, their destination security zone is the security zone in which the interface is located, but when packets pass through an interface to the firewall itself, their destination security zone is simply the Local Zone. This allows all equipment/devices under an interface to be able to access the firewall itself. This also makes the Local Zone’s relationship to the other security zones more explicit, thus killing two birds with one stone.

2 Direction of Packet Flow Between Security Zones

As I explained above, different networks have different levels of trustworthiness. After using security zones to define networks on firewalls, how can we deduce the trustworthiness of a security zone? On Huawei’s firewalls, every security zone must have its own unique security level from 1-100; the larger the number, the higher the trustworthiness of the zone’s network. For default security zones, the security rating is fixed. The Local Zone’s security level is 100, the Trust Zone’s security level is 85, the DMZ’s security level is 50, and the Untrust Zone’s security level is 5.

Setting security levels separates security zones by rank. When packets pass between two security zones, our rule is that when packets pass from low-level security zones to high-level security zones, the packet’s direction is considered to be Inbound; when packets pass from high-level security zones to low-level security zones the packet’s direction is considered to be Outbound. Figure 1-5 details the directions for packets passing between the Local Zone, the Trust Zone, the DMZ Zone, and/or the Untrust Zone.

Figure 1-5 Direction of packets passing between security zones

550a1f5dbfdf1.png

 

By configuring security levels, each security zone on the firewall has an explicit, tiered relationship with one another. Different security zones represent different networks, and the firewall serves as the node that connects all the networks together. With this architecture as a foundation, the firewall can manage and control packets passing between each network.

How do firewalls determine which two security zones a packet is passing between? First, the source security zone can be easily determined, as the security zone for whichever interface the firewall receives a packet from is the source security zone for the packet.

There are two different scenarios to consider when determining the destination security zone. Under a Layer 3 model, the firewall confirms which interface a packet will be sent out from by checking against the routing table―this interface’s security zone is the destination security zone for the packet. Under a Layer 2 model, the firewall checks the MAC address forwarding table to confirm which interface the packet will be sent out from―this interface’s security zone is the destination security zone for the packet. After the source security zone and the destination security zone are confirmed, the two security zones a packet is traveling between can be ascertained.

There is also another scenario. This involves VPN settings in which the packet a firewall receives is an encapsulated packet. The firewall decapsulates the packet to obtain the original packet, and then checks a routing table to determine the destination security zone―the security zone for whichever interface the packet will be sent out from is the destination security zone for the packet. However, the source security zone cannot be simply determined according to the interface that receives the packet, and so the firewall will use "reverse route table checking " to determine the source security zone for the original packet. More specifically, the firewall will assume that the original packet’s source address is its destination IP address, and then use the routing table to determine which interface a packet with this destination IP address would be sent from―this interface’s security zone is the security zone the packet would be sent to. But as the real situation is the reverse of this, we have actually determined the security zone from which the packet has been sent, and so the security zone found using this "reverse route table checking" method is in fact the source security zone for the packet.

Confirming a packet’s source and destination security zones is the premise for us to accurately configure security policies, and it is vital that everyone understands the methods for determining a packet’s source and destination security zones. We’ll also discuss this while configuring security policies later in this manual.

3 Security Zone Configuration

Security zone configuration primarily involves creating security zones and adding interfaces to security zones. Below is a test for creating a new security zone and then adding Interface GE0/0/1 to this security zone (Interface GE0/0/1 can work on either a Layer 3 model or a Layer 2 model).

The configuration commands are very simple. The only thing to pay attention to is that newly created security zones do not have security levels, and we need to configure a security level for them before adding an interface to the security zone. Of course, as security levels are unique, the configured security level cannot be the same as any existing security zone’s rating.

[FW] firewall zone name test                                //creates security zone test
[FW-zone-test] set priority 10                             //sets security level to 10
[FW-zone-test] add interface GigabitEthernet 0/0/1     //adds Interface GE0/0/1 to security zone

All of the content we discussed above concerned adding a physical interface to a security zone. In addition to physical interfaces, firewalls can also support logical interfaces, such as sub-interfaces, and VLANIF interfaces. When these logical interfaces are used they also need to be added to security zones. Below, I have given examples of adding sub-interfaces and VLANIF interfaces to security zones.
As shown in Figure 1-6, PC A and PC B belong to different sub-networks, and the network switch, which is connected to the firewall’s GE0/0/1 interface, has segmented the PC A and PC B’s subnets using two VLANs. This kind of networking is a classic "one-armed" environment for firewalls.

Figure 1-6 Using one firewall interface to connect multiple sub-nets

550a1ff8595e2.png

 

In this scenario, one of the firewall’s interfaces is connecting two sub-nets. If we wanted to set different security levels for these two-subnets, that is, if we needed to assign PC A and PC B to different security zones, how would we go about configuring this? As any one of a firewall’s interfaces can only be added to one security zone, we cannot simply add Interface GE0/0/1 to just any security zone. However, we can use sub-interfaces or VLANIF interfaces to achieve our desired result.

Let’s first take a look at how to create sub-interfaces. First, we establish two sub-interfaces, GE0/0/1.10 and GE0/0/1.20, under interface GE0/0/1. These correspond with VLAN 10 and VLAN 20 respectively. Following this, these two sub-interfaces are assigned to different security zones (Interface GE0/0/1 does not need to be added to a security zone) thus achieving the goal of assigning PC A and PC B to different security zones, as shown in Figure 1-7.

Figure 1-7 Assigning sub-interfaces to security zones

550a202f19cb5.png

 

The specifics of configuration are as follows:

[FW] interface GigabitEthernet 0/0/1.10
[FW-GigabitEthernet0/0/1.10] vlan-type dot1q 10
[FW-GigabitEthernet0/0/1.10] ip address 192.168.10.1 24
[FW-GigabitEthernet0/0/1.10] quit
[FW] interface GigabitEthernet 0/0/1.20
[FW-GigabitEthernet0/0/1.20] vlan-type dot1q 20
[FW-GigabitEthernet0/0/1.20] ip address 192.168.20.1 24
[FW-GigabitEthernet0/0/1.20] quit
[FW] firewall zone name trust1
[FW-zone-trust1] set priority 10
[FW-zone-trust1] add interface GigabitEthernet 0/0/1.10
[FW-zone-trust1] quit
[FW] firewall zone name trust2
[FW-zone-trust2] set priority 20
[FW-zone-trust2] add interface GigabitEthernet 0/0/1.20
[FW-zone-trust2] quit

Following the above configuration, PC A has been assigned to the Trust 1 security zone, and PC B has been assigned to the Trust 2 security zone, and we can now exert control over packets from PC A accessing PC B.

Next, we’ll look at how to set up VLANIF interfaces. While still using the network organization from Figure 1-6, we can create two VLANs on the firewall, configure an IP address for each of their VLANIF interfaces, and then configure Interface GE0/0/1 to work in a Layer 2 model (transparent model), allowing VLAN10 and VLAN20’s packets to pass through. Assigning VLANIF10 and VLANIF20 to different security zones (without needing to add GE0/0/1 to a security zone), achieves the goal of assigning PC A and PC B to different security zones, as shown in Figure 1-8.

Figure 1-8 Assigning VLANIF interfaces to security zones

550a2082b9f3f.png

 

The specifics of configuration are as follows:

[FW] vlan 10
[FW-vlan-10] quit
[FW] interface Vlanif 10
[FW-Vlanif10] quit
[FW] vlan 20
[FW-vlan-20] quit
[FW] interface Vlanif 20
[FW-Vlanif20] quit
[FW] interface GigabitEthernet 0/0/1
[FW-GigabitEthernet0/0/1] portswitch
[FW-GigabitEthernet0/0/1] port link-type trunk
[FW-GigabitEthernet0/0/1] port trunk permit vlan 10 20
[FW-GigabitEthernet0/0/1] quit
[FW] firewall zone name trust1
[FW-zone-trust1] set priority 10
[FW-zone-trust1] add interface Vlanif 10
[FW-zone-trust1] quit
[FW] firewall zone name trust2
[FW-zone-trust2] set priority 20
[FW-zone-trust2] add interface Vlanif 20
[FW-zone-trust2] quit

After completing configuration, PC A has been assigned to the Trust 1 security zone, and PC B has been assigned to the Trust 2 security zone. Control can now be exerted over PC A packets accessing PC B.

Above, we introduced examples of adding sub-interfaces and VLANIF interfaces to security zones. Firewalls can also support other logical interfaces besides these two, such as Tunnel interfaces used in generic routing encapsulation (GRE), Virtual Template interfaces used in Layer two tunneling protocols (L2TP). These logical interfaces still need to be added to security zones, and we’ll introduce how to do this in the corresponding GRE and L2TP chapters to follow.

Our introduction of the concepts behind security zones and their configuration is complete. I hope that my introduction has allowed everyone to understand the use of security zones and grasp the relationships between them, as this will provide you with a good foundation for deepening your knowledge of firewalls in the following chapters.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Mar 19, 2015 10:27:24 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

nileshkahar
Created Mar 21, 2015 06:08:33 Helpful(0) Helpful(0)

This is good guide which is having command lines also.

  • x
  • convention:

nileshkahar
Created Mar 21, 2015 06:09:42 Helpful(0) Helpful(0)

Also please enable document download button, so that can collect for future reference.

  • x
  • convention:

tonygjtt
Created Jun 4, 2016 01:21:45 Helpful(0) Helpful(0)

you can download here, in the bottom, a pdf file provied.

http://forum.huawei.com/enterprise/thread-247527.html

  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login