Adtran
Help
The Adtran community holiday season is starting next week! The holiday period will span from December 21, 2024 to January 6, 2025. During this time, responses to feedback form submissions may be delayed. If you are encountering product issues, you can reach out to Adtran support at any time.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Anonymous
Not applicable
‎03-02-2012 09:06 AM

Multiple trusted interfaces: multiple security zones?

  I'm going to take advantage of the collective wisdom and experience of the Community:

I like to consolidate interfaces into as few policy-classes as possible, to keep configs simple and have policy-classes neatly represent actual trust zones.  I know that you can use a separate policy-class for each interface, and many config examples from ADTRAN engineers and in technical documents seem to show a separate policy-class for each interface.

Are examples given with separate "trusted" policy-classes merely because it's arguably simpler to understand what's going on in those examples?  Post your thoughts--Do you see some other benefit from maintaining a security zone separation between trusted interfaces?

I'm taking for granted here that all of the private networks and interfaces are truly trusted in the wide-open sense.  Obviously, situations where some granularity is needed between departments, tenants or whatever would require the use of multiple policy-classes.  I'm thinking about typical small or medium companies where you might have some VLANs or a remote office connected with a T1.

0 Kudos
Reply
5 Replies
Anonymous
Not applicable
‎03-02-2012 10:40 AM

Re: Multiple trusted interfaces: multiple security zones?

@cj - I would agree that sometimes it is just easier to have multiple interfaces share security zones/policy-classes. Although there are several applications that *require* that different policy-classes/security zones be defined, for generic applications it is acceptable to have them shared between interfaces.

For me, I would prefer to have separate policy-classes defined if I am dealing with several interfaces simply because if I need to troubleshoot, it is easier for me to go through the policy-sessions to find the entry that I am looking for and to verify that traffic is being routed correctly.

- Noor

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎03-02-2012 10:50 AM

Re: Multiple trusted interfaces: multiple security zones?

Thanks, Noor. Other than applications where there's just more than one trust zone (departments, VLANs, companies, etc.), what would be some common applications requiring separate policy-classes?

We're trying to standardize on our config approaches in my company. Your input is helpful for us to plan ahead and anticipate scenarios that we will encounter.

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎03-02-2012 01:10 PM

Re: Multiple trusted interfaces: multiple security zones?

@cj - I would say most of these applications involve multiple WAN interfaces. Failover configurations, load balancing, and route-maps usually require that separate policy-classes/security zones be used since traffic will need to be NATted to different WAN IPs depending on which connection will be used. The separate policy-class/security zones allows the router to NAT traffic based on which interface will be sending the traffic out. Also, these WAN security zones/policy-sessions could very well need a different set of access rules and port forwards configured on each interface.

- Noor

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎03-02-2012 01:18 PM

Re: Multiple trusted interfaces: multiple security zones?

@noor

I see. If I understand you, these would be good examples of the need for outside/untrusted interfaces to use discreet policy-classes. Do you think the need to separate is diminished for inside/private interfaces?

Thanks again for helping me think this through.

Chris

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎03-02-2012 03:26 PM

Re: Multiple trusted interfaces: multiple security zones?

@cj - Its really a matter of personal preference and how you would like to set up your rules. However, besides the examples you gave and perhaps configuring a DMZ with a private IP and a private interface, I haven't ran into many applications where a separate trusted policy-session/security zones were necessarily needed.

Thanks,

Noor

0 Kudos
Accept as Solution Reply