In UserGate, a zone is a logical conjunction of network interfaces. Security policies of UserGate are based on zones of interfaces rather than individual interfaces. This makes security policies more flexible and dramatically simplifies the overall management of high-availability clusters. Note that zones are the same across all cluster nodes, i.e. this is a global setting for the entire cluster.
It is recommended that you group interfaces into zones based on their functionality, e.g. a zone of LAN interfaces, a zone of Internet interfaces, a zone of interfaces with partner networks, etc.
By default, UserGate provides the following zones:
|
Name |
Description |
|---|---|
|
Management |
Zone for interfaces connected to trusted networks, allowed for administering UserGate |
|
Trusted |
Zone for interfaces connected to trusted networks, e.g. LANs |
|
Untrusted |
Zone for interfaces connected to untrusted network, e.g. the Internet |
|
DMZ |
Zone for interfaces connected to the DMZ network |
|
Cluster |
Zone for interfaces designated for cluster operations |
|
VPN for Site-to-Site |
A zone to which all clients connected to UserGate through Site-to-Site VPN are added. |
|
VPN for remote access |
A zone to which all clients connected to UserGate through remote access VPN are added. |
UserGate administrators can change the zones default settings, and also can create additional zones.
Important! Up to 16 zones can be created.
To create a new zone, perform the following steps:
|
Name |
Description |
|---|---|
|
Step 1. Create a new zone |
Click Add and specify a name for your zone. |
|
Step 2. Set up the DoS protection parameters (optional) |
Specify the following DoS protection parameters in the zone for the TCP (SYN-flood), UDP and ICMP protocols:
Recommended values for TCP and UDP for the notification threshold and package discard threshold are 300 queries per second and 600 queries per second respectively. It is also recommended that you enable flood protection on all interfaces except Cluster zone. When interfaces in the zone handle VoIP or L2TP VPN traffic, make sure to increase the packet drop threshold for UDP. DoS protection exclusion allows you to set up a range of IP addresses excluded from flood protection. This can be useful, for example, on IP telephony servers that usually send lots of small UDP packets. I:orangebold:` mportant!` UserGate can provide even more granular protection from DoS attacks. For details, please refer to section DoS protection. |
|
Step 3. Set up the access control parameters for the zone (optional) |
Specify UserGate services that you want to make available for all clients connected to the zone. It is recommended that you disable all services in zones connected to untrusted networks and the Internet. The following services are supported:
|
|
Step 4. Set up the IP-spoofing protection (optional) |
Using IP spoofing attacks, fraudsters can send a packet from an external network, e.g. from the Untrusted zone, to an internal network, e.g. to the Trusted zone. To do so, fraudsters "spoof" the source IP address with one of the possible IP addresses in the internal network, thereby making all responses to this packet go to an internal IP address. To protect from such attack administrator can specify network ranges of allowed IP source addresses for specific zone. Network packets with different IP sources will be dropped. With Negate option administrator can specify network ranges of IP source addresses which are not expected on the zone's network interfaces and network packets with these sources will be dropped. |