5.1. Configuring zones

In UserGate, a zone is a logical conjunction of network interfaces. Security policies of UserGate are based on zones of interfaces rather than individual interfaces. This makes security policies more flexible and dramatically simplifies the overall management of high-availability clusters. Note that zones are the same across all cluster nodes, i.e. this is a global setting for the entire cluster.

It is recommended that you group interfaces into zones based on their functionality, e.g. a zone of LAN interfaces, a zone of Internet interfaces, a zone of interfaces with partner networks, etc.

By default, UserGate provides the following zones:

Name

Description

Management

Zone for interfaces connected to trusted networks, allowed for administering UserGate

Trusted

Zone for interfaces connected to trusted networks, e.g. LANs

Untrusted

Zone for interfaces connected to untrusted network, e.g. the Internet

DMZ

Zone for interfaces connected to the DMZ network

Cluster

Zone for interfaces designated for cluster operations

VPN for Site-to-Site

A zone to which all clients connected to UserGate through Site-to-Site VPN are added.

VPN for remote access

A zone to which all clients connected to UserGate through remote access VPN are added.

UserGate administrators can change the zones default settings, and also can create additional zones.

Important! Up to 16 zones can be created.

To create a new zone, perform the following steps:

Name

Description

Step 1. Create a new zone

Click Add and specify a name for your zone.

Step 2. Set up the DoS protection parameters (optional)

Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:

  • Alert threshold - once the number of packets from a single IP address exceeds the specified limit, this event will be recorded in the system log

  • Drop threshold - once the number of packets from a single IP address exceeds the specified limit, UserGate will start dropping packages from this IP address and will record this event in the system log

Recommended values for TCP and UDP for the notification threshold and package discard threshold are 300 queries per second and 600 queries per second respectively. It is also recommended that you enable flood protection on all interfaces except Cluster zone.

When interfaces in the zone handle VoIP or L2TP VPN traffic, make sure to increase the packet drop threshold for UDP.

DoS protection exclusion allows you to set up a range of IP addresses excluded from flood protection. This can be useful, for example, on IP telephony servers that usually send lots of small UDP packets.

I:orangebold:` mportant!` UserGate can provide even more granular protection from DoS attacks. For details, please refer to section DoS protection.

Step 3. Set up the access control parameters for the zone (optional)

Specify UserGate services that you want to make available for all clients connected to the zone. It is recommended that you disable all services in zones connected to untrusted networks and the Internet.

The following services are supported:

  • Ping - allows you to ping UserGate

  • SNMP - provides access to UserGate via SNMP (UDP 161)

  • Captive portal and block page - displays the login page of the Captive portal and the blocking page (TCP 80, 443, 8002)

  • Control XML-RPC- allows you to manage the product via API (TCP 4040)

  • Cluster - allows you to merge multiple UserGate nodes into a cluster (TCP 4369, TCP 9000-9100)

  • VRRP - allows you to merge multiple UserGate nodes into a high-availability cluster (IP protocol 112)

  • Administrative console - provides access to the web console (TCP 8001)

  • DNS - provides access to the DNS proxy service (TCP 53, UDP 53)

  • HTTP(S) Proxy - provides access to the HTTP(S) proxy service (TCP 8090)

  • Authentication agent - provides access to the server for Windows authentication agents and terminal servers (UDP 1813)

  • SMTP(S) Proxy - anti-spam and anti-virus filtering service for the SMTP traffic Required only for publishing email server in the Internet. For more details, please refer to Mail security

  • POP3(S) Proxy - anti-spam and anti-virus filtering service for the POP3(S) traffic Required only for publishing email server in the Internet. For more details, please refer to Mail security

  • CLI over SSH - provides access for management using CLI (Command-line interface) via TCP 2200

  • VPN - access to the server for L2TP VPN clients (UDP 500, 4500)

  • SCADA - SCADA protocol protection. This option is necessary only for SCADA traffic control. For more details, please refer to SCADA - SCADA protocol protection. This option is necessary only for SCADA traffic control. For more details, please refer to SCADA rules.

  • Reverse proxy -- reverse proxy service. This option is necessary only if you need to publish resources via reverse proxy. For more details, please refer to Publication of HTTP/HTTPS resources using the reverse proxy.

  • Web portal -- Web portal service. This option is necessary only if you need to publish resources via SSL VPN. For more details, please refer to Setting up an web portal.

  • Log analyzer --Log analyzer service. This option is necessary only if you need to use this UserGate server to collect and analyze logs from other UserGate servers.

  • OSPF -- dynamic routing protocol OSPF. For more details, please refer to OSPF.

  • BGP-- dynamic routing protocol BGP. For more details, please refer to BGP.

Step 4. Set up the IP-spoofing protection (optional)

Using IP spoofing attacks, fraudsters can send a packet from an external network, e.g. from the Untrusted zone, to an internal network, e.g. to the Trusted zone. To do so, fraudsters "spoof" the source IP address with one of the possible IP addresses in the internal network, thereby making all responses to this packet go to an internal IP address.

To protect from such attack administrator can specify network ranges of allowed IP source addresses for specific zone. Network packets with different IP sources will be dropped.

With Negate option administrator can specify network ranges of IP source addresses which are not expected on the zone's network interfaces and network packets with these sources will be dropped.