You are on page 1of 26

TippingPoint X505 Training

Security Zones and Interfaces

Zones and Interfaces Objectives

> Upon completion of this module, you should be familiar with the following:
Security Zone Types Zone Configuration Network Interface Types Interface configuration DHCP Server/Client IP Address Groups Network Address Translation Routing Support Network Tools

Security Zones

> What is a Security Zone

A security zone is a network segment or VLAN where access can be policed as traffic passes in and out of a security zone NOTE: Policed means Firewall, IPS and Content Filtering A user can define multiple security zones, based on their network security needs Common security zones are LAN, WAN, DMZ and VPN Think of Zones as a Layer 2 construct
> A network with 5 Security Zones > Traffic (shown in red) passes from one zone to another only if policy permits > No policy enforcement within a zone! Only between zones






Security Zones

> X505 is fundamentally built on the concept of Security Zones Policy Enforcement Point

Security Zone

Security Zone

> Rule 101 remember this

Policy enforcement occurs between Security Zones Policy is not enforced within a Security Zone Policy Enforcement includes:
> Firewall > Content Filtering > IPS

Security Zone Types

> Physical Security Zones

Mapped to a single Ethernet port

> Virtual Security Zones

No physical presentation, not mapped to a port
> These zones can only be reached via policy

2 main applications
> this-device used to control access to the X505 device management or SNMP Example: If you want to manage the x505 from the LAN zone make sure you have a policy rule that allows access from the LAN zone to the secure web interface. > VPN Used to apply policy for traffic emanating from a VPN tunnel

VPN and Security Zone Interaction

> Traffic from remote sites and/or users connecting to the network via VPN can be terminated into any configured security zone > In order to provide maximum protection, it may be wise to use the preconfigured VPN zone to implement policy (Firewall and IPS)

Configuring Security Zones

> Using Physical Ports to Create Security Zones

untagged ports One Port to one Security Zone

> Using VLANs to Create Security Zones

tagged ports Can allow a port to be in more than one security zone (based on VLAN ID) In other words, you are using the VLAN IDs to define the Security Zone, not the physical port. Allow policy control and routing between VLANs This would allow you to have more Security Zones than free ports on the device

> Zone Bandwidth Rate Limiting

Use bandwidth rate limiting to guarantee bandwidth for latency sensitive applications

> IP Address Restriction

Enforce restrictions on IP Addresses
> Limit LAN zone to > Limit LAN2 zone to

Using VLANs for Zones

Default Security Zones

> Default X505 zones:

Security Zones Setup


Security Zone Summary

> Using this model of Security Zones offers

Flexibility for Internal Security Zones
> Policy control between internal networks, wireless, etc

Increased flexibility for management access Support for Inter-VLAN Firewalling Support for complex / flexible control of traffic through VPN tunnels

> All policy is enforced between security zones

Including Firewalling as well as traffic management
> Rule 101


Network Interfaces

> Three Types of Interfaces

External Internal GRE

> The External Interface can be configured in one of the following ways
Static Addressing DHCP Client PPPoE Client PPTP Client L2TP Client

> The Internal Interface must be configured manually with a Static IP Address > GRE Interface
Configure GRE interfaces for connecting to a remote site via a VPN tunnel to allow multicasting and dynamic routing between sites.


Interface Setup


Interface-Security Zone Interaction

> Security Zones are assigned to interfaces > An interface can represent more than one zone (transparent deployment) > NATed or Routed deployment


Zones and Interfaces

Layer 3




Layer 2





Layer 1 Port1 Port2 Port3 Port4

Network Interfaces: Example 1

Two Network Interfaces

> Routable external IP address for Network Interface 2 WAN IP and DMZ Security Zone > Internal (192.168.x.y ) addresses for internal LANs


Network Interfaces: Example 2

Three Interfaces, one for each zone. Each Network Interface will be a different IP on a different Subnet


Network Interfaces: Example 3

Totally Transparent All Addresses in same subnet, but with policy between zones.



> Various modes of DHCP

DHCP Server, DHCP Relay, DHCP Relay over VPN DHCP Client Static Mapping


DHCP Precautions

> By default, there should be a firewall rule that permits DHCP requests from the LAN zone to the this-device zone > Given the above, if any hosts connected to a different zone will be assigned IP addresses via DHCP, then you must create a new firewall rule or modify the default DHCP rule (Firewall rules will be covered in the next module)


IP Address Groups

> IP Address Groups allow you to create Network Objects that can be referenced in Security Zones, Firewall Rules or DHCP configuration > Addresses can be grouped by
Host Subnet Address Range


Network Address Translation

> Two Modes

Many-to-One NAT
> Use this mode to translate all internal addresses to one external IP address > Can be configured to NAT to the external IP address of the X505 or an address specified by the network administrator

One-to-one NAT
> Use this mode to map a unique IP address between internal and external hosts > Can be configured for All Services or can be configured for Port Address Translation (PAT)



> The X505 supports RIP v1 and v2

RIP v1
> Classful, i.e. no subnet masks

RIP v2
> Simple Text Authentication and MD5 authentication > Classless Inter-Domain Routing i.e. supports subnetting

RIP Features
> Split Horizon Reduces convergence time by not allowing routers to advertise networks in the direction from which those networks were learned. > Poison Reverse Routes learned from a neighbor are advertised back to it with metric 16 (unreachable), preventing routing loops.

> RIP can be implemented in any configured interface > Static Routes


Multicast Routing

> Useful for voice applications or video conferencing > In multicasting, a host joins a multicast group and can send packets to all hosts participating in the group > The X505 supports IGMP v2 and Protocol Independent Mutlicast Dense Mode (PIM-DM)


Network Tools

> The following tools are available for Network troubleshooting

DNS Lookup Packet Capture Ping Traceroute Find Outgoing Zone Give the X505 an IP address or hostname and it will tell you which zone traffic destined for that IP/resolved IP will go out of


LAB 3 Security Zones and Interfaces