Setting Security Policy
The following procedure will cover role identification, configuring security zones and network segments. The combination of each segmentation methodology will allow for flexible segmentation see details below.
Table of contents
Security Policy | Segmentation type | Description |
---|---|---|
User Roles | Micro Segmentation | Device Level Policy that abstracts IP, and can be applied within the same Subnet or outside of the Subnet |
Security Zones | Mezzo Segmentation | Subnet level Policy, that applies to a subnet or group of subnets. Allowing or denying connectivity between groups of subnets. |
Segments | Macro Segmentation | Network Level policy that separates entire segments of the network from the rest of the network. (VRF) |
Role should be identified first before configuring anything else. The following roles will be used by the Access Point, switch and SD-WAN Gateway.
Role Name | VLAN |
---|---|
EMPLOYEE | 101 |
CAMERA | 102 |
BADGE_ACC | 103 |
MEETING_KIOSK | 103 |
THERMOSTAT | 103 |
GUEST | 104 |
REJECT | 105 |
CRITICAL_AUTH | 106 |
QUARENTINE | 107 |
Caution: The role name is case sensitive, ensure its the same on all devices, including Clearpass.
Configuring Security Zones
The following section will demonstrate how to configured Security zones which will define the type and direction of traffic is allowed to flow between zones.
Step 1 Select the Configuration tab in the top left hand side.
Step 2 In the Overlay & Security column select Firewall Zones.
Step 3 Click Add Zone in the input box enter : LAN
Step 4 Click Add Zone in the input box enter : WAN
Step 5 Click Add Zone in the input box enter : IOT
Step 6 Click Save.
Configuring Network Segments
Network segments are completely isolated and only allowed to route between the same segment, by default. Network segments will be used to segment the Guest and Quarantine traffic.
Step 1 Select the Configuration tab in the top left hand side.
Step 2 In the Networking column select Routing Segmentation (VRF).
Step 3 Click + Add Segment, enter: Guest
Step 4 Click + Add Segment, enter: Quarantine
Configure Segment Policy
The Overlay Breakout policy will be used to restrict Guest and Quarantine devices, from using the higher priority BIO’s.
Step 1 On the Routing Segmentation (VRF) page.
Step 2 Navigate to the Overlay & Breakout Polices column.
Step 3 Click +Add for any segment.
Step 4 For the quarantine and guest segments, click the include button.
Configure Firewall Zone Policy
The following section of the guide will demonstrate how to configure a Firewall Zone Policy Rule this process will be used to configure the Firewall Zone Policy for each segment.
Configure Default Segment
Using the following steps the table below will be configured.
Step 1 In Firewall Zone Policy column click +Add.
Step 2 Click the Default to WAN box.
Step 3 Click Add Rule
Step 4 In the ruleset table Delete the Match Everything rule.
Step 5 Move to the Action column change the Deny rule to Allow.
Step 6 Click Ok
Step 7 Repeat Steps 1-6 to configure the remaining allow All policies using the table below.
Step 8 Select the LAN to IOT box
Step 9 Click Add Rule.
Step 10 Select the Match Criteria column.
Step 11 Check the User Role box, and check the SRC:Dest box.
Step 12 Enter the Source role as EMPLOYEE and destination as THERMOSTAT .
Step 13 Click OK.
Step 14 Repeat the inverse of the rule set for the IOT to LAN box.
Step 15 Click Save.
Step 16 (Optional) Enter a comment, Click Save.
Step 17 Hit the X in the top right.
Configure Address Groups
Step 1 Click Configuration in the Templates & Polices column click Address Groups.
Step 2 On the Address Groups page click Add Group.
Step 3 Enter the following.
- Name :RFC1918
- IP Space: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
Step 4 Click Add.
Step 5 On the Address Groups page click Add Group.
Step 6 Enter the following.
- Name :DHCP_DNS
- IP Space: 10.2.120.99, 10.2.120.98
Step 7 Click Add.
Step 8 On the Address Groups page click Add Group.
Step 9 Enter the following.
- Name: Clearpass
- IP Space: 10.2.120.94, 10.2.120.95.
Step 10 Click Add.
Configure Quarantine Segment Firewall Policy
The quarantine segment needs to be able to access the WAN and HoneyPot services over the WAN. The following section will demonstrate how to configure inter-segment security policy.
Step 1 In Firewall Zone Policy column click +Add.
Step 2 Click the Default to WAN box.
Step 3 Click Add Rule.
Step 4 In the ruleset table Delete the Match Everything rule.
Step 5 Move to the Action column change the Deny rule to Allow.
Step 6 Click Ok.
Service | Action | Destination |
---|---|---|
DHCP | Allow | DHCP_DNS (Address Group) |
DNS | Allow | DHCP_DNS (Address Group) |
All services | Allow | 10.13.120.0/26 |
All services | Deny | All Destinations |
Configure Guest Segment Firewall Policy
The Guest segment needs to speak to internal DNS, DHCP and ClearPass servers, this section will demonstrate how to configure inter-segment security policy to allow the guest network to reach these services.
Step 1 In Firewall Zone Policy column click +Add.
Step 2 Click the Default to WAN box.
Step 3 Click Add Rule.
Step 4 In the ruleset table Delete the Match Everything rule.
Step 5 Move to the Action column change the Deny rule to Allow.
Step 6 Click Ok.
Service | Action | Destination |
---|---|---|
DHCP | Allow | DHCP_DNS (Address Group) |
DNS | Allow | DHCP_DNS (Address Group) |
HTTPS/HTTP | Allow | ClearPass (Address Group) |
All services | Deny | RFC1918 (Address Group) |
All services | Allow | All Destinations |
Configure Inter-Segment Routing and DNAT
In the previous section, security policies between segments were configured. However, the firewall policy alone does not allow inter-segment communication, it is used only to enforce security within a segment.
To allow full inter-segment communication, Inter-segment Routing and DNAT must be configured.
Each segment is configured with the appropriate subnet going to and from each segment. Use the following steps to configure inter-segment routing.
Step 1 Go to the Routing Segmentation (VRF) page. In the Default Segment row and the Inter-Segment Routing & DNAT column, click +Add.
Step 2 At the top right, click the +Add Rule button.
Step 3 Enter the Match condition as: 10.14.52.0/24
Step 4 Set the Send to Segment to : Guest
Step 5 In the comment enter: BOIBR-GUEST
Step 6 Repeat steps 2 to 5 swapping each input for the items shown in the table below.
Source Segment | Destination Segment | Match Condition | Comment |
---|---|---|---|
Default | Guest | 10.14.52.0/24 | BOIBR-GUEST |
Default | Quarantine | 10.14.55.0/24 | BOIBR-QUAR |
Default | Guest | 10.14.44.0/24 | PORBR-GUEST |
Default | Quarantine | 10.14.47.0/24 | PORBR-QUAR |
Default | Guest | 10.14.36.0/24 | CHIBR-GUEST |
Default | Quarantine | 10.14.39.0/24 | CHIBR-QUAR |
Step 7 Click Save.
Step 8 In the Quarantine segment row of the Inter-Segment Routing & DNAT column, click +Add.
Step 9 At the top right, click the +Add Rule button. Use the table below to configure the rules.
Step 10 Repeat steps 8 to 9 for the guest segment, using the table below.
Source Segment | Destination Segment | Match Condition | Comment |
---|---|---|---|
Quarantine/guest | Default | 10.2.120.98/31 | DHCP/DNS |
Quarantine/guest | Default | 10.2.120.94/31 | ClearPass |
Quarantine | Default | 10.13.120.0/26 | Honeypot |