How do zones work in SonicOS?

09/01/2022 214 People found this article helpful 487,467 Views

Description

A zone is a logical grouping of one or more interfaces designed to make management, and application of Access Rules. It is a flexible method of managing both internal and external network segments, allowing the administrator to separate and protect critical internal network resources from unapproved access or attack.

Zones in SonicWall is logical method of grouping one or more interfaces with friendly, user-configurable names, and applying security rules as traffic passes from one zone to another zone. Security zones provide an additional, more flexible, layer of security for the firewall. With the zone-based security, the administrator can group similar interfaces and apply the same policies to them, instead of having to write the same policy for each interface.

Zones allows users to apply security policies to the inside of the network. This allows the administrator to do this by organizing network resources to different zones, and allowing or restricting traffic between those zones. This way, access to critical internal resources such as payroll servers or engineering code servers can be strictly controlled.

Zones also allow full exposure of the NAT table to allow the administrator control over the traffic across the interfaces by controlling the source and destination addresses as traffic crosses from one zone to another. This means that NAT can be applied internally, or across VPN tunnels, which is a feature that users have long requested. SonicWALL security appliances can also drive VPN traffic through the NAT policy and zone policy, since VPNs are now logically grouped into their own VPN zone.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

How do Zones Work :

An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building.

This building has one or more exits, (which can be thought of as the WAN interfaces). The rooms within the building have one or more doors, (which can be thought of as interfaces). These rooms can be thought of as zones.

Inside each room are a number of people. The people are categorized and assigned to separate rooms within the building. People in each room going to another room or leaving the building, must talk to a doorperson on the way out of each room.

This doorperson is the inter-zone/intra-zone security policy, and the doorperson’s job to consult a list and make sure that the person is allowed to go to the other room, or to leave the building. If the person is allowed (i.e. the security policy lets them), they can leave the room via the door (the interface).

Upon entering the hallway, the person needs to consult with the hallway monitor to find out where the room is, or where the door out of the building is located. This hallway monitor provides the routing process because the monitor knows where all the rooms are located, and how to get in and out of the building.

The monitor also knows the addresses of any of the remote offices, which can be considered the VPNs. If the building has more than one entrance/exit (WAN interfaces), the hallway monitor can direct people to use the secondary entrance/exit, depending upon how they’ve been told to do so (i.e. only in an emergency, or to distribute the traffic in and out of the entrance/exits). This function can be thought of as WAN Load Balancing.

There are times that the rooms inside the building have more than one door, and times when there are groups of people in the room who are not familiar with one another. In this example, one group of people uses only one door, and another group uses the other door, even though groups are all in the same room. Because they also do not recognize each other, in order to speak with someone in another group, the users must ask the doorperson (the security policy) to point out which person in the other group is the one with whom they wish to speak. The doorperson has the option to not let one group of people talk to the other groups in the room. This is an example of when zones have more than one interface bound to them, and when intra-zone traffic is not allowed.

Sometimes, people will wish to visit remote offices, and people may arrive from remote offices to visit people in specific rooms in the building. These are the VPN tunnels. The hallway and doorway monitors check to see if this is allowed or not, and allow traffic through.

The doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy.

To put this in more technical terms, we can say Zones in SonicOS help us to group together interfaces with same security type so that same security policies and rules can be applied. And the traffic flow across the interfaces can be allowed or blocked as per requirement.

In SonicOS, all the access rules, NAT policies and security services can be applied on zone to zone traffic whether within the Firewalled Networks or coming or going outside of the firewall.

Hence, when a packet arrives in Sonicwall or travels within the networks in Sonicwall or else is intended to go out of Sonicwall, based on the routing table and access rules, traffic flows through SonicWALL which is in turn guided by the Zone that the packet belongs to or is destined for.

PREDEFINED ZONES IN SONICOS :

The predefined zones on the SonicWALL security appliance depend on the device and are not modifiable. These are defined as follows:

WAN : This zone can consist of either one or two interfaces. If you’re using the security appliance’s WAN Failover capability, you need to add the second Internet interface to the WAN zone.
LAN : This zone can consist of one to five interfaces, depending on your network design. Even though each interface will have a different network subnet attached to it, when grouped together they can be managed as a single entity.
DMZ : This zone is normally used for publicly accessible servers. This zone can consist of one to four interfaces, depending on you network design.
VPN : This virtual zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical interface.
MULTICAST : This zone provides support for IP multicasting, which is a method for sending IN packets from a single source simultaneously to multiple hosts.
WLAN : This zone provides support to SonicWALL Access Points (SonicPoint or SonicWave). When assigned to the Opt port, it enforces SonicPoint Enforcement, automatically dropping all packets received from non-SonicPoint devices. The WLAN zone supports SonicPoint Discovery Protocol (SDP) to automatically poll for and identify attached SonicPoints. It also supports SonicWALL Simple Provisioning Protocol to configure SonicPoints using profiles.
SSLVPN : This virtual zone is used for simplifying secure, remote connectivity with SSL encryption. This zone is assigned to the SSLVPN traffic only.

Apart from predefined zones, custom user-friendly zones can also be configured in Sonicwall, with different security types.

NOTE: In SonicWALL NSA series, MGMT is a predefined zone for management. So, in SonicWALL TZ series, we cannot create a custom zone named "MGMT".

SECURITY TYPES IN SONICOS:

Each zone has a security type, which defines the level of trust given to that zone. These are :

Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
SSLVPN : SSLVPN is a security type used exclusively by the SSLVPN zone. All traffic to and from an SSLVPN zone is encrypted.

Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.

Allow Interface Trust :

The Allow Interface Trust setting in the Add Zone window automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.

Enabling SonicWALL Security Services on Zones :

You can enable SonicWALL Security Services for traffic across zones. You can enable SonicWALL Security Services on zones such as Content Filtering Service, Client Anti-Virus Service, Gateway Anti-Virus, IPS, Anti-Spyware Service.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

How do Zones Work :

An easy way to visualize how security zones work is to imagine a large new building, with several rooms inside the building, and a group of new employees that do not know their way around the building.

This building has one or more exits, (which can be thought of as the WAN interfaces). The rooms within the building have one or more doors, (which can be thought of as interfaces). These rooms can be thought of as zones.

Inside each room are a number of people. The people are categorized and assigned to separate rooms within the building. People in each room going to another room or leaving the building, must talk to a doorperson on the way out of each room.

This doorperson is the inter-zone/intra-zone security policy, and the doorperson’s job to consult a list and make sure that the person is allowed to go to the other room, or to leave the building. If the person is allowed (i.e. the security policy lets them), they can leave the room via the door (the interface).

Upon entering the hallway, the person needs to consult with the hallway monitor to find out where the room is, or where the door out of the building is located. This hallway monitor provides the routing process because the monitor knows where all the rooms are located, and how to get in and out of the building.

The monitor also knows the addresses of any of the remote offices, which can be considered the VPNs. If the building has more than one entrance/exit (WAN interfaces), the hallway monitor can direct people to use the secondary entrance/exit, depending upon how they’ve been told to do so (i.e. only in an emergency, or to distribute the traffic in and out of the entrance/exits). This function can be thought of as WAN Load Balancing.

There are times that the rooms inside the building have more than one door, and times when there are groups of people in the room who are not familiar with one another. In this example, one group of people uses only one door, and another group uses the other door, even though groups are all in the same room. Because they also do not recognize each other, in order to speak with someone in another group, the users must ask the doorperson (the security policy) to point out which person in the other group is the one with whom they wish to speak. The doorperson has the option to not let one group of people talk to the other groups in the room. This is an example of when zones have more than one interface bound to them, and when intra-zone traffic is not allowed.

Sometimes, people will wish to visit remote offices, and people may arrive from remote offices to visit people in specific rooms in the building. These are the VPN tunnels. The hallway and doorway monitors check to see if this is allowed or not, and allow traffic through.

The doorperson can also elect to force people to put on a costume before traveling to another room, or to exit, or to another remote office. This hides the true identity of the person, masquerading the person as someone else. This process can be thought of as the NAT policy.

To put this in more technical terms, we can say Zones in SonicOS help us to group together interfaces with same security type so that same security policies and rules can be applied. And the traffic flow across the interfaces can be allowed or blocked as per requirement.

In SonicOS, all the access rules, NAT policies and security services can be applied on zone to zone traffic whether within the Firewalled Networks or coming or going outside of the firewall.

Hence, when a packet arrives in Sonicwall or travels within the networks in Sonicwall or else is intended to go out of Sonicwall, based on the routing table and access rules, traffic flows through SonicWALL which is in turn guided by the Zone that the packet belongs to or is destined for.

PREDEFINED ZONES IN SONICOS :

The predefined zones on the SonicWALL security appliance depend on the device and are not modifiable. These are defined as follows:

WAN : This zone can consist of either one or two interfaces. If you’re using the security appliance’s WAN Failover capability, you need to add the second Internet interface to the WAN zone.
LAN : This zone can consist of one to five interfaces, depending on your network design. Even though each interface will have a different network subnet attached to it, when grouped together they can be managed as a single entity.
DMZ : This zone is normally used for publicly accessible servers. This zone can consist of one to four interfaces, depending on you network design.
VPN : This virtual zone is used for simplifying secure, remote connectivity. It is the only zone that does not have an assigned physical interface.
MULTICAST : This zone provides support for IP multicasting, which is a method for sending IN packets from a single source simultaneously to multiple hosts.
WLAN : This zone provides support to SonicWALL Access Points (SonicPoint or SonicWave). When assigned to the Opt port, it enforces SonicPoint Enforcement, automatically dropping all packets received from non-SonicPoint devices. The WLAN zone supports SonicPoint Discovery Protocol (SDP) to automatically poll for and identify attached SonicPoints. It also supports SonicWALL Simple Provisioning Protocol to configure SonicPoints using profiles.
SSLVPN : This virtual zone is used for simplifying secure, remote connectivity with SSL encryption. This zone is assigned to the SSLVPN traffic only.

Apart from predefined zones, custom user-friendly zones can also be configured in Sonicwall, with different security types.

NOTE: In SonicWALL NSA series, MGMT is a predefined zone for management. So, in SonicWALL TZ series, we cannot create a custom zone named "MGMT".

SECURITY TYPES IN SONICOS:

Each zone has a security type, which defines the level of trust given to that zone. These are :

Trusted : Trusted is a security type that provides the highest level of trust—meaning that the least amount of scrutiny is applied to traffic coming from trusted zones. Trusted security can be thought of as being on the LAN (protected) side of the security appliance. The LAN zone is always Trusted.
Encrypted : Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.
Wireless : Wireless is a security type applied to the WLAN zone or any zone where the only interface to the network consists of SonicWALL SonicPoint devices. Wireless security type is designed specifically for use with SonicPoint devices. Placing an interface in a Wireless zone activates SDP (SonicWALL Discovery Protocol) and SSPP (SonicWALL Simple Provisioning Protocol) on that interface for automatic discovery and provisioning of SonicPoint devices. Only traffic that passes through a SonicPoint is allowed through a Wireless zone; all other traffic is dropped.
Public : A Public security type offers a higher level of trust than an Untrusted zone, but a lower level of trust than a Trusted zone. Public zones can be thought of as being a secure area between the LAN (protected) side of the security appliance and the WAN (unprotected) side. The DMZ, for example, is a Public zone because traffic flows from it to both the LAN and the WAN. By default traffic from DMZ to LAN is denied. But traffic from LAN to ANY is allowed. This means only LAN initiated connections will have traffic between DMZ and LAN. The DMZ will only have default access to the WAN, not the LAN.
Untrusted : The Untrusted security type represents the lowest level of trust. It is used by both the WAN and the virtual Multicast zone. An Untrusted zone can be thought of as being on the WAN (unprotected) side of the security appliance.By default, traffic from Untrusted zones is not permitted to enter any other zone type without explicit rules, but traffic from every other zone type is permitted to Untrusted zones.
SSLVPN : SSLVPN is a security type used exclusively by the SSLVPN zone. All traffic to and from an SSLVPN zone is encrypted.

Encrypted is a security type used exclusively by the VPN zone. All traffic to and from an Encrypted zone is encrypted.

Allow Interface Trust :

The Allow Interface Trust setting in the Add Zone window automates the creation of Access Rules to allow traffic to flow between the interface of a zone instance. For example, if the LAN zone has both the LAN and X3 interfaces assigned to it, checking Allow Interface Trust on the LAN zone creates the necessary Access Rules to allow hosts on these interfaces to communicate with each other.

Enabling SonicWALL Security Services on Zones :

You can enable SonicWALL Security Services for traffic across zones. You can enable SonicWALL Security Services on zones such as Content Filtering Service, Client Anti-Virus Service, Gateway Anti-Virus, IPS, Anti-Spyware Service.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How do zones work in SonicOS?

Description

Resolution

Resolution for SonicOS 7.X

Resolution for SonicOS 6.5

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch