Date post: | 05-Apr-2018 |
Category: |
Documents |
Upload: | justingoldberg |
View: | 243 times |
Download: | 0 times |
of 26
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
1/26
TippingPoint X505 TrainingSecurity Zones and Interfacesecurity Zones and Interfaces
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
2/26
2
Zones and Interfaces Objectives
> Upon completion of this module, you should be familiar with thefollowing:
Security Zone Types
Zone Configuration
Network Interface Types
Interface configuration
DHCP Server/Client
IP Address Groups
Network Address Translation
Routing Support Network Tools
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
3/26
3
Security Zones
> What is a Security Zone
A security zone is a network segment or VLAN where access can bepoliced as traffic passes in and out of a security zone
NOTE: Policed means Firewall, IPS and Content Filtering A user can define multiple security zones, based on their network
security needs
Common security zones are LAN, WAN, DMZ and VPN
Think of Zones as a Layer 2 construct
LAN 1
WAN
DMZ
LAN 2 VPN
> A network with 5 Security Zones
> Traffic (shown in red) passes from onezone to another only if policy permits
> No policy enforcement within a zone!Only between zones x505
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
4/264
Security Zones
> X505 is fundamentally built on the concept of Security Zones
Policy Enforcement Point
LANSecurity Zone
WANSecurity Zone
> Rule 101 remember this
Policy enforcement occurs between Security Zones Policy is not enforced within a Security Zone Policy Enforcement includes:
> Firewall
> Content Filtering
> IPS
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
5/265
Security Zone Types
> Physical Security Zones
Mapped to a single Ethernet port
> Virtual Security Zones No physical presentation, not mapped to a port
> These zones can only be reached via policy
2 main applications
> this-device
used to control access to the X505
device management or SNMP
Example: If you want to manage the x505 from the LAN zone make sureyou have a policy rule that allows access from the LAN zone to the secureweb interface.
> VPN
Used to apply policy for traffic emanating from a VPN tunnel
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
6/266
VPN and Security Zone Interaction
> Traffic from remote sites and/or users connecting to the network via VPNcan be terminated into any configured security zone
> In order to provide maximum protection, it may be wise to use the pre-
configured VPN zone to implement policy (Firewall and IPS)
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
7/267
Configuring Security Zones
> Using Physical Ports to Create Security Zones
untagged ports
One Port to one Security Zone
> Using VLANs to Create Security Zones
tagged ports
Can allow a port to be in more than one security zone (based on VLAN ID) Inother words, you are using the VLAN IDs to define the Security Zone, not thephysical port.
Allow policy control and routing between VLANs
This would allow you to have more Security Zones than free ports on the device
>
Zone Bandwidth Rate Limiting Use bandwidth rate limiting to guarantee bandwidth for latency sensitive
applications
> IP Address Restriction
Enforce restrictions on IP Addresses> Limit LAN zone to 192.168.1.1 192.168.1.99
> Limit LAN2 zone to 192.168.1.100 192.168.1.199
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
8/268
Using VLANs for Zones
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
9/269
Default Security Zones
> Default X505 zones:
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
10/26
10
Security Zones Setup
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
11/26
11
Security Zone Summary
> Using this model of Security Zones offers
Flexibility for Internal Security Zones
> Policy control between internal networks, wireless, etc
Increased flexibility for management access
Support for Inter-VLAN Firewalling
Support for complex / flexible control of traffic through VPN tunnels
> All policy is enforced between security zones
Including Firewalling as well as traffic management
> Rule 101
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
12/26
12
Network Interfaces
> Three Types of Interfaces
External
Internal
GRE
> The External Interface can be configured in one of the following ways
Static Addressing
DHCP Client PPPoE Client
PPTP Client
L2TP Client
> The Internal Interface must be configured manually with a Static IP Address
> GRE Interface
Configure GRE interfaces for connecting to a remote site via a VPN tunnel toallow multicasting and dynamic routing between sites.
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
13/26
13
Interface Setup
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
14/26
14
Interface-Security Zone Interaction
> Security Zones are assigned to interfaces
> An interface can represent more than one zone (transparentdeployment)
> NATed or Routed deployment
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
15/26
15
Zones and Interfaces
internal externalLayer 3
VPN
LAN LAN2 LAN3 WAN
Port1 Port2 Port3 Port4
Layer 2
XLayer 1
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
16/26
16
Network Interfaces:Example 1
Two Network Interfaces
> Routable external IP address for Network Interface 2 WAN IP and DMZ Security Zone
> Internal (192.168.x.y ) addresses for internal LANs
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
17/26
17
Network Interfaces:Example 2
Three Interfaces, one for each zone.
Each Network Interface will be a different IP on a different Subnet
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
18/26
18
Network Interfaces:Example 3
Totally Transparent
All Addresses in same subnet, but with policy between zones.
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
19/26
19
DHCP
> Various modes of DHCP
DHCP Server, DHCP Relay, DHCP Relay over VPN
DHCP Client
Static Mapping
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
20/26
20
DHCP Precautions
> By default, there should be a firewall rule that permits DHCPrequests from the LAN zone to the this-device zone
> Given the above, if any hosts connected to a different zone will be
assigned IP addresses via DHCP, then you must create a new firewallrule or modify the default DHCP rule (Firewall rules will be coveredin the next module)
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
21/26
21
IP Address Groups
> IP Address Groups allow you to create Network Objects that can bereferenced in Security Zones, Firewall Rules or DHCP configuration
> Addresses can be grouped by
Host
Subnet
Address Range
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
22/26
22
Network Address Translation
> Two Modes
Many-to-One NAT
> Use this mode to translate all internal addresses to one external IP address
> Can be configured to NAT to the external IP address of the X505 or an addressspecified by the network administrator
One-to-one NAT
> Use this mode to map a unique IP address between internal and external hosts
> Can be configured for All Services or can be configured for Port AddressTranslation (PAT)
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
23/26
23
Routing
> The X505 supports RIP v1 and v2
RIP v1
> Classful, i.e. no subnet masks
RIP v2
> Simple Text Authentication and MD5 authentication
> Classless Inter-Domain Routing i.e. supports subnetting
RIP Features> Split Horizon Reduces convergence time by not allowing routers to advertise
networks in the direction from which those networks were learned.
> Poison Reverse Routes learned from a neighbor are advertised back to it with
metric 16 (unreachable), preventing routing loops.> RIP can be implemented in any configured interface
> Static Routes
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
24/26
24
Multicast Routing
> Useful for voice applications or video conferencing
> In multicasting, a host joins a multicast group and can send packetsto all hosts participating in the group
> The X505 supports IGMP v2 and Protocol Independent Mutlicast Dense Mode (PIM-DM)
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
25/26
25
Network Tools
> The following tools are available for Network troubleshooting
DNS Lookup
Packet Capture
Ping
Traceroute
Find Outgoing Zone Give the X505 an IP address or hostname and it
will tell you which zone traffic destined for that IP/resolved IP will goout of
7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces
26/26
LAB 3Security Zones and Interfaces