Tippingpoint X505 Training - 03-Zones and Interfaces

7/31/2019 Tippingpoint X505 Training - 03-Zones and Interfaces

1/26

TippingPoint X505 TrainingSecurity Zones and Interfacesecurity Zones and Interfaces


2/26

2

Zones and Interfaces Objectives

> Upon completion of this module, you should be familiar with thefollowing:

Security Zone Types

Zone Configuration

Network Interface Types

Interface configuration

DHCP Server/Client

IP Address Groups

Network Address Translation

Routing Support Network Tools


3/26

3

Security Zones

> What is a Security Zone

A security zone is a network segment or VLAN where access can bepoliced as traffic passes in and out of a security zone

NOTE: Policed means Firewall, IPS and Content Filtering A user can define multiple security zones, based on their network

security needs

Common security zones are LAN, WAN, DMZ and VPN

Think of Zones as a Layer 2 construct

LAN 1

WAN

DMZ

LAN 2 VPN

> A network with 5 Security Zones

> Traffic (shown in red) passes from onezone to another only if policy permits

> No policy enforcement within a zone!Only between zones x505


4/264

Security Zones

> X505 is fundamentally built on the concept of Security Zones

Policy Enforcement Point

LANSecurity Zone

WANSecurity Zone

> Rule 101 remember this

Policy enforcement occurs between Security Zones Policy is not enforced within a Security Zone Policy Enforcement includes:

> Firewall

> Content Filtering

> IPS


5/265

Security Zone Types

> Physical Security Zones

Mapped to a single Ethernet port

> Virtual Security Zones No physical presentation, not mapped to a port

> These zones can only be reached via policy

2 main applications

> this-device

used to control access to the X505

device management or SNMP

Example: If you want to manage the x505 from the LAN zone make sureyou have a policy rule that allows access from the LAN zone to the secureweb interface.

> VPN

Used to apply policy for traffic emanating from a VPN tunnel


6/266

VPN and Security Zone Interaction

> Traffic from remote sites and/or users connecting to the network via VPNcan be terminated into any configured security zone

> In order to provide maximum protection, it may be wise to use the pre-

configured VPN zone to implement policy (Firewall and IPS)


7/267

Configuring Security Zones

> Using Physical Ports to Create Security Zones

untagged ports

One Port to one Security Zone

> Using VLANs to Create Security Zones

tagged ports

Can allow a port to be in more than one security zone (based on VLAN ID) Inother words, you are using the VLAN IDs to define the Security Zone, not thephysical port.

Allow policy control and routing between VLANs

This would allow you to have more Security Zones than free ports on the device

>

Zone Bandwidth Rate Limiting Use bandwidth rate limiting to guarantee bandwidth for latency sensitive

applications

> IP Address Restriction

Enforce restrictions on IP Addresses> Limit LAN zone to 192.168.1.1 192.168.1.99

> Limit LAN2 zone to 192.168.1.100 192.168.1.199


8/268

Using VLANs for Zones


9/269

Default Security Zones

> Default X505 zones:


10/26

10

Security Zones Setup


11/26

11

Security Zone Summary

> Using this model of Security Zones offers

Flexibility for Internal Security Zones

> Policy control between internal networks, wireless, etc

Increased flexibility for management access

Support for Inter-VLAN Firewalling

Support for complex / flexible control of traffic through VPN tunnels

> All policy is enforced between security zones

Including Firewalling as well as traffic management

> Rule 101


12/26

12

Network Interfaces

> Three Types of Interfaces

External

Internal

GRE

> The External Interface can be configured in one of the following ways

Static Addressing

DHCP Client PPPoE Client

PPTP Client

L2TP Client

> The Internal Interface must be configured manually with a Static IP Address

> GRE Interface

Configure GRE interfaces for connecting to a remote site via a VPN tunnel toallow multicasting and dynamic routing between sites.


13/26

13

Interface Setup


14/26

14

Interface-Security Zone Interaction

> Security Zones are assigned to interfaces

> An interface can represent more than one zone (transparentdeployment)

> NATed or Routed deployment


15/26

15

Zones and Interfaces

internal externalLayer 3

VPN

LAN LAN2 LAN3 WAN

Port1 Port2 Port3 Port4

Layer 2

XLayer 1


16/26

16

Network Interfaces:Example 1

Two Network Interfaces

> Routable external IP address for Network Interface 2 WAN IP and DMZ Security Zone

> Internal (192.168.x.y ) addresses for internal LANs


17/26

17


Three Interfaces, one for each zone.

Each Network Interface will be a different IP on a different Subnet


18/26

18


Totally Transparent

All Addresses in same subnet, but with policy between zones.


19/26

19

DHCP

> Various modes of DHCP

DHCP Server, DHCP Relay, DHCP Relay over VPN

DHCP Client

Static Mapping


20/26

20

DHCP Precautions

> By default, there should be a firewall rule that permits DHCPrequests from the LAN zone to the this-device zone

> Given the above, if any hosts connected to a different zone will be

assigned IP addresses via DHCP, then you must create a new firewallrule or modify the default DHCP rule (Firewall rules will be coveredin the next module)


21/26

21

IP Address Groups

> IP Address Groups allow you to create Network Objects that can bereferenced in Security Zones, Firewall Rules or DHCP configuration

> Addresses can be grouped by

Host

Subnet

Address Range


22/26

22

Network Address Translation

> Two Modes

Many-to-One NAT

> Use this mode to translate all internal addresses to one external IP address

> Can be configured to NAT to the external IP address of the X505 or an addressspecified by the network administrator

One-to-one NAT

> Use this mode to map a unique IP address between internal and external hosts

> Can be configured for All Services or can be configured for Port AddressTranslation (PAT)


23/26

23

Routing

> The X505 supports RIP v1 and v2

RIP v1

> Classful, i.e. no subnet masks

RIP v2

> Simple Text Authentication and MD5 authentication

> Classless Inter-Domain Routing i.e. supports subnetting

RIP Features> Split Horizon Reduces convergence time by not allowing routers to advertise

networks in the direction from which those networks were learned.

> Poison Reverse Routes learned from a neighbor are advertised back to it with

metric 16 (unreachable), preventing routing loops.> RIP can be implemented in any configured interface

> Static Routes


24/26

24

Multicast Routing

> Useful for voice applications or video conferencing

> In multicasting, a host joins a multicast group and can send packetsto all hosts participating in the group

> The X505 supports IGMP v2 and Protocol Independent Mutlicast Dense Mode (PIM-DM)


25/26

25

Network Tools

> The following tools are available for Network troubleshooting

DNS Lookup

Packet Capture

Ping

Traceroute

Find Outgoing Zone Give the X505 an IP address or hostname and it

will tell you which zone traffic destined for that IP/resolved IP will goout of


26/26

LAB 3Security Zones and Interfaces

Documents

Tippingpoint X505 Training - 03-Zones and Interfaces