Network Segmentation Part 2
In this post I will focus on the actual segmentation, implemented by specific firewall rules. This is a follow-up on a previous post; Network Segmentation Part 1.
Rule Creation Concepts
It will focus on the concepts of OPNSense / PFSense, but it should be generally applicable.
There are also so called Floating Rules, which apply first on all interfaces, but I did not find a use
for them yet…
I only created rules on a per-interface basis. Here I want to show an exemplary rule set for a simple DMZ1.
The rules generally apply on first match, therefore the rules order do matter much. As a consequence one should
start with the most specific rules and get more and more general adding rules underneath. In OPNSense, there is
an invisible block everything rule at the very bottom, means that by default everything is blocked.
The simplest rule set might be a network which should have access to everything. If that is the goal, you just need to write one rule like the following:
| Parameter | Value |
|---|---|
| Protocol | IPv4+6 * |
| Source IP | * |
| Source Port | * |
| Destination IP | * |
| Destination Port | * |
| Action | pass |
Everything in this network can communicate with everything (all private networks and the whole internet).
A more restricted network
But one might also want a more restrictive network like a DMZ. Following some pseudo-code:
- Allow certain traffic from the DMZ to other networks (very specific by single ip’s and ports)
- Allow DNS to only the DMZ address
- Block DNS to all other addresses in the DMZ
- Allow access to the internet
- Block everything else (all other local networks)
Let’s suppose we have the follwoing networks:
- 192.168.40.0/24 –> LAN
- 192.168.50.0/24 –> DMZ
- 192.168.60.0/24 –> IoT
1. Allow very specific traffic
Here we allow a server in the DMZ at the address 192.168.50.50 access a server on a specific port 1234 in the LAN at the address 192.168.40.50. Best would be not to have any such rule, but it might be necessary for some monitoring or other reasons. The servers involved should be taken special care of, because they are the only hole in the firewall between the LAN and the DMZ.
| Parameter | Value |
|---|---|
| Protocol | IPv4+6 TCP |
| Source IP | 192.168.50.50 |
| Source Port | * |
| Destination IP | 192.168.40.50 |
| Destination Port | 1234 |
| Action | pass |
2. / 3. Allow only the DNS you trust
These two rules assure that only the DNS server on the OPNSense router can act as such. Therefore any rogue DNS server is rendered useless… DMZ net are autogenerated aliases of an interface’s network and its ip address.
Allow the DNS server:
| Parameter | Value |
|---|---|
| Protocol | IPv4+6 TCP/UDP |
| Source IP | DMZ net |
| Source Port | * |
| Destination IP | DMZ address |
| Destination Port | 53 |
| Action | pass |
Block other DNS servers:
| Parameter | Value |
|---|---|
| Protocol | IPv4+6 TCP/UDP |
| Source IP | DMZ net |
| Source Port | * |
| Destination IP | * |
| Destination Port | 53 |
| Action | block |
4. & 5. Allow all except other local networks
Points 4. and 5. can be covered in one rule (+ the hidden block rule). I created an alias Private Networks,
which includes all my networks; LAN, DMZ and IoT. When one creates a rule in OPNSense he has a checkbox
Invert Destination, which negates the destination. In my case everything except the Private Networks is
allowed. The negation is visible with the !.
| Parameter | Value |
|---|---|
| Protocol | IPv4+6 * |
| Source IP | DMZ net |
| Source Port | * |
| Destination IP | ! Private Networks |
| Destination Port | * |
| Action | pass |
This is the last visible rule, the rest will be blocked.
Conclusion
This approach is just an example of how one can create a DMZ and can serve as a starting point. Surely one could also make it much more restrictive. Anyhow, I am very interested in other approaches and let me know if you find my suggestion faulty or inefficient. I appreciate corrections and other opinions!
-
A DMZ, or “demilitarized zone,” is a network segment that acts as a buffer between a company’s internal network and the Internet. It is designed to improve security by containing and isolating potentially hostile traffic. Typically, servers and other resources that need to be accessible from the Internet, such as a web server or email server, are placed in the DMZ. This way, if an attacker is able to penetrate the DMZ, they will not have access to the sensitive information stored on the internal network. ↩