topic Re: Zone Protection - to or from in General Topics

Zone Protection - to or from

jdprovine — Tue, 09 Jan 2018 19:21:34 GMT

Is Zone protection applied from or too the zone?

Re: Zone Protection - to or from

BPry — Tue, 09 Jan 2018 19:47:11 GMT

It's specifically ingress.

It's also important to note when configuring zone protection that it's only evaluated on traffic that doesn't match an existing session, if it matches an existing session it'll bypass your zone protection settings.

Re: Zone Protection - to or from

jdprovine — Tue, 09 Jan 2018 20:01:52 GMT

@BPry

I put it on my DMZ zone and so far I am not seeing anything. But I have about 23 zones, and none of them are name untrust anymore so I am trying to determine what zones would I would see the best results from using zone protection. I did have a health check run last fall but it did not show all of my zones and its recommendations were based on a untrust zone that I do not even have.

Re: Zone Protection - to or from

OtakarKlier — Tue, 09 Jan 2018 20:10:18 GMT

Hello,

That is a it depends type of question. Obviously the untrust zone from the internet should have this, but it may also apply to certain internal zones, i.e. keeping kids from getting at your stuff.

Cheers!

Re: Zone Protection - to or from

BPry — Tue, 09 Jan 2018 20:14:04 GMT

,
They likely simply utilized the common zone names for their recommendations, which is rather lazy on their end. Untrust would be the zone that you utilize as an ‘outside’ zone; essentially wherever your ISP connection comes in should be a non-trusted zone, hence it being shortened to simply untrust.
I wouldn’t expect to really see any triggers on a DMZ for zone protection. You really shouldn’t have too much traffic with the DMZ as the ingress zone. I would caution trying to trip the zone protection profile however. Zone protection is really what I consider to be the last line of defense against a flood, simply because it will effect new sessions on the entire zone when tripped.

Re: Zone Protection - to or from

jdprovine — Tue, 09 Jan 2018 20:22:46 GMT

@BPry @OtakarKlier

Adding it to the outside/internet in/ISP untrusted zone is an easy choice, but I do I determine what other zones it would be most beneficial on

Re: Zone Protection - to or from

Mick_Ball — Wed, 10 Jan 2018 09:23:12 GMT

i would say only you can answer that as it's only you that really knows "your" network.

for me.. trusted LAN, no point.. the LAN itself is quite secure, no guest or BYOD connections. only domain members can connect. even then these devices are policied to the hilt.

DMZ. no point.. as @BPry stated, DMZ ingress is a big no no.

internet (any untrusted) ... yes.

so... if you feel that any of your zones are vulnerable to such attacks then protect them...

Re: Zone Protection - to or from

BPry — Wed, 10 Jan 2018 13:47:15 GMT

@jdprovine

I would create a custom report that targets the Traffic Log database sorted by bytes and grouped by the Inbound Interface. This should give you a good idea of which zones you should actually target.

Re: Zone Protection - to or from

jdprovine — Wed, 10 Jan 2018 14:03:05 GMT

@Mick_Ball

Definitely things coming in from the outside we need to protect against, but a majority of ours users are students and are not a part of our domain but have access to the internal network so it is tricky

Re: Zone Protection - to or from

Mick_Ball — Wed, 10 Jan 2018 15:00:49 GMT

@BPry

Hi. you mentioned previously...

Zone protection is really what I consider to be the last line of defense against a flood, simply because it will effect new sessions on the entire zone when tripped.

if you have time could you elaborate, not so much on Zone Protection but the "trip" part.

Re: Zone Protection - to or from

BPry — Wed, 10 Jan 2018 15:34:21 GMT

@Mick_Ball,

So what I meant by "trip" is when you actually trigger the Activate or Maximum values. So when you look at Flood Protection it's very similar to the DoS profiles where you'll have an 'Alarm Rate', 'Activate Rate', and a 'Maximum' rate. The major difference is that it triggers on the entire zone for any traffic that doesn't match to an existing session. So on UDP packets the 'Activate Rate' will trigger random drops and you may start dropping legitimate traffic across the entire zone; 'Maximum Rate' obviosuly will cause any number of packets exceeding this value to simply drop. Same for SYN, however you do get the option to set this action on 'Activate' to SYN Cookies instead of RED.

DoS Protection Policies are more of the first line of defense in my mind, just because of how much more granular you can get when working with them. It's also easier to work with the 'Activate' and 'Maximum' values since you can generally work in a time to properly attempt to hit that value and verify the policy is working as intended, while only effecting connections to the specified host(s).

I'd much rather see more aggressive DoS Protection Policies than aggressive Zone Protection Profiles simply because I never want to effect an entire zone of traffic. We host a lot of public websites; I would rather have one website be spotty or unreachable in the event of an attack over lossing all of them. Therefore I always try to set my Zone Protection to the point where my DoS Policiesshould prevent the Zone Protection from ever hitting the Activate rates. Currently you would have to trigger the majority of my DoS Policies before my Zone Protection profiles ever had a chance to activate.

Re: Zone Protection - to or from

Mick_Ball — Wed, 10 Jan 2018 15:42:46 GMT

@BPry

OK, got it.

Many thanks for taking the time to elaborate.

Re: Zone Protection - to or from

jdprovine — Wed, 10 Jan 2018 15:58:09 GMT

@BPry

By granular on the DoS protection do you mean it is because you can pick specific IP's and subnets not just full zones ?

Re: Zone Protection - to or from

BPry — Wed, 10 Jan 2018 16:01:12 GMT

@jdprovine,

Correct. Since you can choose to single out an IP address (or multiple) you can limit the impacts of the DoS Policies to those hosts. With a Zone Protection Profile you'll effect all unmatched traffic across the entire zone without any way to negate a particular address.

Re: Zone Protection - to or from

jdprovine — Wed, 10 Jan 2018 16:03:13 GMT

so much to choose from on the PA sometimes its so overwhelming, I really wish I had a test system

Re: Zone Protection - to or from

jdprovine — Fri, 12 Jan 2018 21:11:04 GMT

@BPry

When you say specifically ingress do you mean it should be applied to ingress zones like the outside? And the DMZ is considered internal by the PA? We first started out by putting zone protection on the DMZ and it showed our external DNS (in the DMZ) servers in scanning (alerting on host sweep) out to the internet/outside for DNS. I had been looking for it to alert on traffic coming into the DMZ not the other way around. Have I got something configured incorrectly on my profile? I have taken the zone protection off of the DMZ and put it on the outside Zone instead

Re: Zone Protection - to or from

BPry — Fri, 12 Jan 2018 22:04:28 GMT

@jdprovine,

It will be traffic ingressing the specified zone. For example my 'outside/untrust' zone would be the ingress interface for everything shown under ( zone.src eq outside ) on my firewall. All of this traffic would count towards the zone protection profile allocated to the 'outside' zone.

For most situations if you are trying to protect your resources in the DMZ you would want the zone protection profile on your 'outside/untrust' zone. When traffic comes into the firewall the ingress zone is going to be 'outside/untrust', and the egress zone is going to be the 'dmz'.

An easier way of thinking of it would be like this:

ingress: The same as from or source.

egress: Same as to or destination.

Currently your configuration should be correct. If the zone protection is on the 'outside' zone it will protect your dmz resources from external traffic/attacks.

Re: Zone Protection - to or from

BPry — Sat, 13 Jan 2018 18:35:18 GMT

@jdprovine,

Just so it's not lost in all of this. While Zone Protection will help the firewall keep the zone up and going and should protect from external users flooding your firewall with requests that could make it hit it's limits, it's also extremely important to protect public services living in your DMZ with a DoS Protection Profile.

Without a DoS Protection Profile assigned to a public facing device you could easily run into issues with an attacker flooding your web server or public DNS server and have then bring it down from a flood attack long before the limits for a Zone Protection profile are even close to triggering in most enviroments. This is why I always call Zone Protection 'Last Resort'. The DoS Protection profiles should prevent everything but a very large attack from ever getting the chance to trigger your Zone Protection 'Activate' or 'Maximum' values.

Re: Zone Protection - to or from

jdprovine — Mon, 15 Jan 2018 13:37:15 GMT

@BPry

So it would be better to start with DoS protection around our DNS servers in the DMZ and then add Zone protection later? Is there a way to "whitelist" IP addresses that are related to our external DNS servers in the DMZ?

Re: Zone Protection - to or from

BPry — Mon, 15 Jan 2018 13:38:59 GMT

@jdprovine,

Correct. I would start with DoS profiles around public facing DMZ servers and then move towards Zone Protection once DoS profiles are properly configured.

You can whitelist addresses within DoS profiles by using the 'negate' option when you actually build out the DoS Policies. While I know there is a feature request for it, there is not currently a way to exclude addresses from Zone Protection profiles.