SonicOS 7 System

Technical Documentation>  Interfaces>  Interface Settings IPv4>  Layer 2 Bridged Mode>  Sample Topologies>  Internal Security
Table of Contents

Internal Security

A network scenario where the appliance acts as the perimeter security device and secure wireless platform. Simultaneously, it provides L2 Bridge security between the workstation and server segments of the network without having to readdress any of the workstation or servers.

This typical inter-departmental Mixed Mode topology deployment demonstrates how the appliance can simultaneously Bridge and route/NAT. Traffic to/from the Primary Bridge Interface (Server) segment from/to the Secondary Bridge Interface (Workstation) segment pass through the L2 Bridge.

As both interfaces of the Bridge-Pair are assigned to a Trusted (LAN) zone, the following apply:

  • All traffic is allowed by default, but Access Rules could be constructed as needed.
  • Consider, for the point of contrast, what would occur if the X2 (Primary Bridge Interface) was instead assigned to a Public (DMZ) zone: All the Workstations would be able to reach the Servers, but the Servers would not be able to initiate communications to the Workstations. While this would probably support the traffic flow requirements (that is, Workstations initiating sessions to Servers), it would have two undesirable effects.
  • The DHCP server would be in the DMZ. DHCP requests from the Workstations would pass through the L2 Bridge to the DHCP server (192.168.0.100), but the DHCP offers from the server would be dropped by the default DMZ > LAN Deny Access Rule. An Access Rule would have to be added, or the default modified, to allow this traffic from the DMZ to the LAN.
  • Security services directionality would be classified as Outgoing for traffic from the Workstations to the Server because the traffic would have a Trusted source zone and a Public destination zone. This might be suboptimal because it would provide less scrutiny than the Incoming or (ideally) Trust classifications.
  • Security services directionality would be classified as Trust, and all signatures (Incoming, Outgoing, and Bidirectional) are applied, providing the highest level of security to/from both segments.

For detailed instructions on configuring interfaces in Layer 2 Bridged Mode, see Configuring Layer 2 Bridged Mode.