Crystal Eye supports management of four typical security zones, namely, LAN, Hot LAN, External and DMZ. Security zones play an important role in grouping virtual and physical interfaces on the Crystal Eye network. Services based out of these zones are protected using various security controls providing a holistic approach in implementing a comprehensive defense in-depth strategy.
Note: All LAN interfaces of Crystal Eye are a part of the LAN Zone by default. Likewise all wireless interfaces of CE falls under the LAN Zone and the external interface of CE falls under the external zone of CE. These settings can be adjusted as well using relevant access controls of CE.
Each security zone on the Crystal Eye network caters to a specific security requirement. A CE administrator can deploy hosts and servers in a particular security zone of the CE network based on the criticality of the data dealt by it. For example, storage of financial data and personal identifiable information (PII) may require greater degree of security than less critical information.
The following network diagram depicts a Crystal Eye network with the four typical security zones:
Before creating security zones on your Crystal Eye network it’s important to define the network mode on which the appliance is intended to run.
The three network modes of Crystal Eye are:
Let’s understand how to create security zones with the help of the following illustrative example.
In this illustration we shall deploy various servers and user devices in the Crystal Eye network. This essentially means that we will be using a Crystal Eye appliance to create various security zones. According to the example, these servers and user devices are segmented into 4 security zones namely, LAN Zone, HotLAN Zone, External Zone and DMZ Zone.
Crystal Eye’s LAN Zone has been designed to incorporate internal networks such as corporate workstations and servers which can be accessed using NAT rules and port forwarding. In our illustration, we have segmented the LAN Zone to have 2 user groups and 3 server groups. The user group has 3 users each and the server group has 4 servers each. Refer to the highlighted part of the network diagram below to know the details of the assets deployed in the LAN Zone.
Note: We are assuming that the corporate users (user group1 and user group2) and the three server groups in LAN are connected to LAN1 port of the Crystal Eye appliance. This also points out to the fact that all the user groups and server groups in LAN (refer to the highlighted part of the diagram above) are connected to LAN1 interface of CE.
How to Create a LAN Zone on the Crystal Eye network?
All LAN interfaces of CE are pre-configured to be the part of the LAN Zone by default and so is LAN1 interface of CE in our illustrative example. However, read the steps below to know what configurations must be selected in order to create a LAN Zone.
Step 1: Go to Network Controls > Infrastructure > IP Settings application
Step 2: You will now see the IP Settings application page. Click the Edit button next to LAN1 Interface under the Network Interfaces section.
Note: Here we will assume that all the user groups and server groups in the LAN network are connected to LAN1 port of the CE appliance.
Step 3: You will now see the LAN1 interface page. Select the Role as LAN from the dropdown.
Note: The Role here is LAN by default. This also sheds light on the fact that all LAN interfaces of CE are in the LAN Zone by default and this can be changed to other roles as well.
Step 4: Click the Update button.
Step 5: You will now be directed to the IP Settings application page. LAN1 interface details will be visible under the Network Interfaces section.
Note: The Role column in the Network Interfaces section above shows which security zone the interface LAN1 belongs to. Since we have configured LAN1 interface to be a part of the LAN Zone all users connected to the LAN1 port of the CE appliance will be in the LAN Zone of the CE network.
HotLAN Zones are designed to cater to the untrusted users in the Crystal Eye network. In our illustration, we have 4 untrusted users connected to the Crystal Eye appliance in its Hot LAN Zone. These untrusted users will not have access to all the other security zones apart from the external zone which essentially means that they will only have access to the internet. Refer to the highlighted part of the network diagram below to know the details of the assets deployed in the HotLAN Zone.
Note: In the network diagram above, we have assumed all the untrusted users are a part of the HotLAN zone. All the un-trusted users are connected to wireless interface as well. But we must take note of the fact that by default all the user devices connected to the wireless interface of CE belong to the LAN Zone. Nevertheless, we can modify the wireless interface to be a part of the HotLAN Zone. Follow the steps given below to create a HotLAN Zone.
How to Create a HotLAN Zone on your Crystal Eye appliance?
The wireless interface of the CE falls under the LAN Zone by default. But we will change this and have the wireless interface WIFI1 to be a part of the HotLAN Zone so that all users connected to WIFI1 is roped under HotLAN Zone. Follow the steps below.
Step 1: Go to Network Controls > Infrastructure > IP Settings application
Step 2: You will now see the IP Settings application page. Click the Edit button next to WIFI1 interface under the Network Interface section.
Note: As highlighted in the screenshot below, the Role column shows that the wireless interface is a part of the LAN Zone.
Step 3: You will now see the WIFI1 Interface page. Select HotLAN from the Roles dropdown and click the Update button.
Step 4: You will be directed to the IP Settings application page. The zone of WIFI1 interface will now be changed to HotLAN Zone under the Roles column.
Note: According to our illustration WIFI1 is now in hotlan zone, all the users that connect to the CE WIFI will fall in this zone and will have only basic internet access According to our illustration WIFI1 is now in hotlan zone, all the users that connect to the CE WIFI will fall in this zone and will have only basic internet access
This zone of the Crystal Eye appliance accommodates external facing interfaces. The external interface provides link to the upstream and Internet access. Refer to the highlighted part of the network diagram below to know the details of External Zone.
Note: We can consider devices physically connected to WAN1 port of CE as a part of the external zone. This could be a router.
The Demilitarized Zone (DMZ) Firewall provides an advanced security realm to a network zone that lies between the LAN and WAN. The DMZ is an isolated network laid between private networks and the internet. It plays a vital role in creating a buffer zone and buys more time for the incident response team in case of a breach.
In our illustration we have two public facing servers in the DMZ Zone labeled as DMZ 1 and DMZ 2. Refer to the highlighted part of the network diagram below to know the details of DMZ Zone.
Note: Please be advised that the DMZ Zone is not configured in CE by default. However, one may create a DMZ Zone on the CE and deploy DMZ servers to it. Follow the steps below to know how to create a DMZ Zone in the CE network.
How to create a DMZ Zone on the Crystal Eye network?
In our illustrative example we will turn LAN2 interface as a part of Crystal Eye’s DMZ Zone.
Step 1: Go to Network Controls > Infrastructure > IP Settings application
Step 2: You will now see the IP Settings application page. Click the Edit button next to LAN2 under the Network Interface section.
Note: You will notice in the screenshot below that the security zone mentioned under the Roles column is LAN Zone.
Step 3: You will now be directed to the LAN2 Interface page. Select DMZ from the Roles dropdown and click the Update button.
Step 4: Select Static from the Connection Type dropdown and enter the IP Address.
Step 5: Enter the IP Address in the text box and click the Update button.
Step 6: You will be directed to the IP Settings application page. The zone of LAN2 interface will now be changed to DMZ Zone under the Roles column.
Note: You will also observe that the Connection Type has changed to Static
The Crystal Eye network can be configured to accommodate multiple default access policies so that the flow of traffic can take place between different security zones such as LAN Zone, HotLAN Zone, External Zone and DMZ Zone.
The 4 security zones of Crystal Eye and its interaction with each other are discussed below:
Note: Click the learn more link below next to each communication path of CE security zones to know how to create the relevant access policies.
LAN Zone Related Access Policies & its Communication Details with Other Security Zones |
---|
Hot LAN Zone Related Access Policies & its Communication Details with other Security Zones |
---|
External Zone Related Access Policies & its Communication Details with other Security Zones |
---|
DMZ Zone Related Access Policies & its Communication Details with other Security Zones |
---|
The above mentioned default access policies of the Crystal Eye can be summarized using the following table:
From | To | Default Access Policies | Crystal Eye Applications Used For Creating Access Policies |
---|---|---|---|
LAN Zone | External Zone | Permitted | Not Applicable |
LAN Zone | LAN Zone | Permitted | Not Applicable |
LAN Zone | HotLAN Zone | Permitted | Not Applicable |
LAN Zone | DMZ Zone | Blocked | DMZ Firewall application can be used to create access policies |
HotLAN Zone | External Zone | Permitted | Not Applicable |
HotLAN Zone | LAN Zone | Blocked | Not Applicable |
HotLAN Zone | HotLAN Zone | Permitted | Not Applicable |
HotLAN Zone | DMZ Zone | Blocked | DMZ Firewall application can be used to create access policies |
External Zone | LAN Zone | Blocked | CE's Firewall, Port Forwarding and NAT Firewall applications can be used to create access policies |
External Zone | HotLAN Zone | Blocked | CE's Firewall, Port Forwarding and NAT Firewall applications can be used to create access policies |
External Zone | DMZ Zone | Blocked | DMZ Firewall application can be used to create access policies |
DMZ Zone | External Zone | Permitted | Not Applicable |
DMZ Zone | LAN Zone | Blocked | DMZ Firewall application can be used to create access policies |
DMZ Zone | HotLAN Zone | Blocked | DMZ Firewall application can be used to create access policies |
DMZ Zone | DMZ Zone | Permitted | Not Applicable |