A zone in UGMC is a logical aggregation of network interfaces. UGMC security policies use interface zones instead of interfaces themselves.
It is recommended to aggregate interfaces into a zone based on their intended use, e.g., a LAN interface zone, Internet interface zone, management interface zone, etc.
UGMC is supplied with the following default zones:
Name |
Description |
---|---|
Management |
Used to connect trusted networks from which UGMC management is allowed. |
Trusted |
Used to connect the managed devices and obtain access to the Internet. |
For the UGMC to work, one configured interface is sufficient. Having separate network interfaces for UGMC device management and UserGate MD management is recommended for security but not mandatory.
UGMC administrators can edit the settings for the default zones and create additional zones.
To create a zone, follow these steps:
Name |
Description |
---|---|
Step 1. Create a new zone. |
Click Add and provide a name for the new zone. |
Step 2. (Optional) Configure the DoS protection settings for the zone. |
Configure the network flood protection settings for TCP (SYN-flood), UDP, and ICMP protocols in the zone:
The recommended values are 300 requests per second for the alert threshold and 600 requests per second for the drop threshold. DoS protection exclusions: here you can list the server IP addresses that need to be excluded from the protection. This can be useful, e.g., for UserGate gateways that can send large amounts of data to LogAn servers. |
Step 3. (Optional) Configure the access control settings for the zone. |
Specify the UGMC-provided services that will be available to clients connected to this zone. It is recommended to disable all services for zones connected to uncontrolled networks, such as the Internet. The following services exist:
For more on network availability requirements, see Appendix 1. Network Environment Requirements. |
Step 4. (Optional) Configure the IP spoofing protection settings. |
IP spoofing attacks allow a malicious actor to transmit a packet from one network, such as Trusted, to another, such as Management. To do that, the attacker substitutes the source IP address with an assumed address of the relevant network. In this case, responses to this packet will be sent to the internal address. To protect against this kind of attack, the administrator can specify the source IP address ranges allowed in the selected zone. Network packets with source IP addresses other than those specified will be discarded. Using the Negate checkbox, the administrator can specify the source IP addresses from which packets may not be received on this zone's interfaces. In this case, packets with source IP addresses within those ranges will be rejected. As an example, you can specify "gray" IP address ranges as 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 and enable the Negate option. |