SonicOS 7 System

Technical Documentation>  Interfaces>  Interface Settings IPv4>  Layer 2 Bridged Mode>  L2 Bridge Interface Zone Selection>  Security Services Directionality
Table of Contents

Security Services Directionality

As it is one of the primary employments of L2 Bridged Mode, understanding the application of security services is important to the proper zone selection for Bridge-Pair interfaces. Security services applicability is based on the following criteria:

  1. The direction of the service:
    • GAV is primarily an Inbound service, inspecting inbound HTTP, FTP, IMAP, SMTP, POP3, and TCP Streams. It also has an additional Outbound element for SMTP.
    • Anti-Spyware is primarily Inbound, inspecting inbound HTTP, FTP, IMAP, SMTP, POP3 for the delivery (that is, retrieval) of Spyware components as generally recognized by their class IDs. It also has an additional Outbound component, where Outbound is used relative to the directionality (namely, Outgoing) ascribed to it by the IPS signatures that trigger the recognition of these Spyware components. The Outgoing classifier (described in IPS: Direction of Traffic) is used because these components are generally retrieved by the client (for example, LAN host) through HTTP from a Web-server on the Internet (WAN host). Referring to IPS: Direction of Traffic, that would be an Outgoing connection, and requires a signature with an Outgoing directional classification.
    • IPS has three directions: Incoming, Outgoing, and Bidirectional. Incoming and Outgoing are described in IPS: Direction of Traffic, and Bidirectional refers to all points of intersection on the table.
    • For additional accuracy, other elements are also considered, such as the state of the connection (for example, SYN or Established), and the source of the packet relative to the flow (for example, initiator or responder).

  2. The direction of the traffic. The direction of the traffic as it pertains to IPS is primarily determined by the Source and Destination zone of the traffic flow. When a packet is received by the appliance, its source zone is generally immediately known, and its destination zone is quickly determined by doing a route (or VPN) lookup.

    Based on the source and destination, the packet’s directionality is categorized as either Incoming or Outgoing, (not to be confused with Inbound and Outbound) where the criteria shown in IPS: Direction of Traffic is used to make the determination.

    IPS: Direction of Traffic
    Dest/Src Untrusted Public Wireless Encrypted Trusted Multicast
    Untrusted Incoming Incoming Incoming Incoming Incoming Incoming
    Public Outgoing Outgoing Outgoing Incoming Incoming Incoming
    Wireless Outgoing Outgoing Trust Trust Trust Incoming
    Encrypted Outgoing Outgoing Trust Trust Trust Outgoing
    Trusted Outgoing Outgoing Trust Trust Trust Outgoing
    Table data is subject to change.            

    In addition to this categorization, packets traveling to/from zones with levels of additional trust, which are inherently afforded heightened levels of security (LAN|Wireless|Encrypted <--> LAN|Wireless|Encrypted) are given the special Trust classification. Traffic with the Trust classification has all signatures applied (Incoming, Outgoing, and Bidirectional).

  3. The direction of the signature. This pertains primarily to IPS, where each signature is assigned a direction by SonicWall’s signature development team. This is done as an optimization to minimize false positives. Signature directions are:
    • Incoming – Applies to Incoming and Trust. The majority of signatures are Incoming, and they include all forms of application exploits and all enumeration and footprinting attempts. Approximately 85 percent of signatures are Incoming.
    • Outgoing – Applies to Outgoing and Trust. Examples of Outgoing signatures would include IM and P2P login attempts, and responses to successfully launched exploits (for example, Attack Responses). Approximately 10 percent of signatures are Outgoing.
    • Bidirectional – Applies to all. Examples of Bidirectional signatures would include IM file transfers, various NetBIOS attacks (for example, Sasser communications) and a variety of DoS attacks (for example, UDP/TCP traffic destined to port 0). Approximately five percent of signatures are Bidirectional.
  4. Zone application. For a signature to be triggered, the desired security service must be active on at least one of the zones it traverses. For example, a host on the Internet (X1, WAN) accessing a Microsoft Terminal Server (on X3, Secondary Bridge Interface, LAN) triggers the Incoming signature “IPS Detection Alert: MISC MS Terminal server request, SID: 436, Priority: Low” if IPS is active on the WAN, the LAN, or both.