Security Zones Architecture

Overview

The computer science network is arranged in four zones: outside, public, lab and servers. Each zone has assigned tasks and is given the resources and privileges necessary to accomplish the tasks. The zones are ordered from highest to lowest security. Rules determine whether traffic is allowed to pass between security zones, but have no effect on traffic within a zone.

The rule applied depend whether the traffic is part of an inbound or an outbound connection. A connection is inbound if its establishing packet passed from a lower to a higher security zone. A connection is outbound if its establishing packet passed from a higher to lower security zone.

At present, outside is the lowest security zone. Then in ascending order: public, lab and servers.

Outside Zone
Outgoing connections from higher security zones receive routable addresses in the global IP address block when passing into this zone.
Public Zone
Incoming connections are allowed from the outside zone to access departmental public services: notably the web server, professor and faculty web pages, and our external domain name service. Outgoing connections from the public zoner are required to secondary other name servers and to respond to pings.
Lab Zone
Incoming connections are allowed from the outside zone to allow remote access for students to the lab and to receive email addressed to the lab machines. In order to enforce student privacy, only authenticated channels can pass inward. Outgoing connections of any sort are permitted to the Internet. Pings and certain other ICMP messages are also allowed.
Server Zone
All outgoing connections are allowed, to the lab zone or outside side. Incoming connections are restricted to fully authenticated connections. An incoming connection is allowed from the public zone so that the public web server can retrieve faculty and staff web pages. Incoming email is allowed.

NAT and XLATE's

It is the job of the Cisco PIX firewall to enforce the zone architecture. It accomplishes this using two mechanisms: Traffic cannot pass unless a translation slot is allocated and the connection passes the rules of the Access Lists.

NAT

Each zone attaches to the PIX through one of its interfaces and is part of a separate Local Area Network. It is equivalent to speak of the public zone or the PIX's public interface, for instance. The outside zone attaches to the university backbone, and has an address inside the space of university backbone addresses - 129.171.32.9. The backbone sees the PIX as a router behind which lie all machines in the class C IP address block 192.31.89.0/24.

However, no machines of that address lie behind the PIX. Every other interface is assigned a network of the type known as private-local. These addresses are suppressed if found on the backbone and are therefore unroutable outside of the department. Access between these interfaces and the outside interface, and among inner interfaces, requires that the addresses be rewritten on passage from interface to interface. The control of which machines have rewritten addresses, and under what conditions a rewriting is allowed, is the key mechanism by which the PIX controls access between interfaces, and therfore, between zones.

Private-Local address blocks
Zone/InterfaceNetwork
Public172.18.0.0/16
Lab172.19.0.0/16
Servers172.20.0.0/16

To pass between interfaces, the PIX maintains a translation table in which it creates xlate slots. A xlate slot is (this is a simplified explanation) the four items: 

   (inner-interface, outer-interface) global-address, local-address
where the inner-interface is the interface serving the zone of higher security and is associated with the local-address; the outer-interface is the interface of serving the zone of lower security and is associated with the global-address.

Before a connection can be established between zones, a xlate slot must exist. Xlate slots are either allocated statically during the PIX configuration or they are created dynamically when needed. Outbound connections will use a static slot if it exists, but if not, an xlate slot can be created dynamically. Inbound connections must use a static xlate slot.

Inbound connections

An inbound connection is a connection initiatiated by a packet coming from a lower security interface to a higher security interface. The xlate slot for such a connection must configured manually, it is static. If there is no matching xlate slot, the packet is dropped. Here is the configuration line creating the static xlate slot which permits access to our public server: 

   static (public,outside) 192.31.89.3 172.18.0.2
An inbound connection can be established, where a packet with destination address of 192.31.89.3, arriving on the outside interface, will be forwarded to the public interface after rewriting the destination address to 172.18.0.2. Response packets will arrive at the public interface with source address 172.18.0.2. The source address will be rewritten to 192.31.89.3 and forward to the outside interface.

Outbound connections

An outbound connection is a connection initiatiated by a packet on a higher security interface heading to a lower security interface. If a static xlate slot for an outbound connection does not exist staticly, a dynamic slot can be created. A pair of configuration lines allow the creation of dynamic xlate slots: 

   nat (lab) 2 0.0.0.0 0.0.0.0 0 0
   global (outside) 2 192.31.89.133-192.31.89.231
These lines permit any machine in the lab zone to connect outside the department. They say that packets entering the lab interface can leave the outside interface with new addresses chosen from the range 192.31.89.133-231.

An example machine, say 172.19.1.123, could create the following xlate slot on first attempting to connect outside the department: 

   (lab,outside) 192.31.89.156 172.19.1.123
where the address 192.31.89.156 is arbitrarily chosen from the global block and persists for the host for some time, so that all connections from this host get the same renumbering. Packets traveling from the lab to the outside interface will have their source address rewritten from 172.19.1.123 to 192.31.89.156. Response packets returning from the outside to the lab interface will have their destination address rewritten from 192.31.89.156 to 172.191.1.123.

ACL's and Connections

The difference between the PIX and a router is a router deals with packets individually. The PIX considers packets as elements of a connection. For TCP this correspondence is easy: a connection according to the PIX is a connection according to TCP. The PIX defines UDP connections as well, but ICMP is packet based, or each connection is a single packet.

Once a connection is set up, packets for the connection flow unhindered, whichever way the packet passes through the PIX. Setting up a connection requires two steps:

  1. An xlate slot must exist or be created.
  2. The Access List for the incoming interface must rule on the connection's creation.

ACL's (Access Lists) apply for both inbound and outbound connections. For inbound connections, it is the ACL of the lower security interface that rules; for outbound connections, the ACL of the higher security interface applies. In the previous example, we created a static xlate to offer the services of our public server to the outside world. A web request will find this xlate and then attempt to create a connection. This access list line allows that connection: 

   access-list acl_out permit tcp any host 192.31.89.3 eq www
The PIX provides several additional security services by examining the contents of connections. Also certain protocols write their IP addresses in to the body of the message. For these, the PIX must provide a fix-up, where it rewrites this embedded IP addresses as it does the header addresses. The most famous example of this is the FTP protocol.

Document History

Burton Rosenberg, 4 July 2002