Setting up SonicWALL TZ400 DMZ and how to split up network into segments?
I've attached a diagram showing what I want to accomplish and I'm looking for suggestions. I currently have a network that I've been put in charge of. Currently everything in the facility other than the guest network runs off the same subnet and passes through the firewall. The problem is I have 1 switch, 4 computers, and some proprietary hardware that are for use in a radio system. The computers within that realm do not have antivirus on them and according to the vendor the antivirus software needs to stay off of them so I need to segment those devices away from everything else.
I've got my main corporate network with around 20 workstations all with antivirus protection.
The guest network which has Wi-Fi devices, employee cell phones, misc., nothing protected.
A secure network that houses system with PPI and governmental data.
I also have a CCTV network that is completely offline because the servers are running legacy software.
My issue is, I have copiers and printers that need to be accessible by everyone. I also have an access control system that needs to be accessible to everyone except people on the guest network. The diagram attached shows that my main connection from my ISP comes into my SonicWALL. From there I assume I need to split off into a DMZ, and guest network, and my corporate network. The devices at the top that are connected to a ASA Gateway will pass information to another agency and those devices need to be able to printer to the DMZ, but I don't want any other network traffic to comingle with the ASA Traffic. The radio Network needs to access the access control system, but nothing else.
I guess my question is, what would be the best approach to segment these devices? Do they all need to be setup on their own subnet or VLAN? If I setup subnets for all the different areas i.e.,
Corporate Net 192.168.1.1
Guest Network 192.168.2.1
Radio Network 192.168.3.1
how would they connect to the DMZ? Does the DMZ have to have it's own router on a different subnet or can it have a switch on the same subnet, or what?
Good morning! The DMZ will indeed have its own port and subnet. By default, the DMZ zone is disallowed to other zones, so you'll need to explicitly allow necessary traffic in the Access Rules section.
Additionally, each of your subnets and logical groupings (Radio Network, Vendor Network, etc) can have their own subnet and zone, which would also allow you to control traffic to and from each grouping with more granularity. You can use virtual interfaces (similar to sub-interfaces in Cisco-speak) on your X5 interface to further segment that traffic using VLAN tagging on the Ubiquiti switch.
Does this makes sense or did I confound the issue further?
Answers to questions:
what would be the best approach to segment these devices? Do they all need to be setup on their own subnet or VLAN?
VLANing is your friend. Learn it, use it. VLANing requires additional subnets. If you don't choose to vlan you'd be using individual ports on the sonicwall for each subnet. Also, its implied, but use your firewall as a firewall. Don't just add vlans / subnets that allow all traffic to all networks.
If I setup subnets for all the different areas how would they connect to the DMZ?
SAM was accurate, but you can also make a VLAN a DMZ.
Does the DMZ have to have it's own router on a different subnet or can it have a switch on the same subnet, or what?
Again, SAM answered this. Hardware wise it depends on what you want to accomplish, but simplest is a switch.
Why do you have so many routers and switches for so few devices? I know the above diagram is probably a simple mockup but it helps to be accurate with what connections go to which port. Documentation goes a long way. I've been provided diagrams like above for entire college networks that was "all they had" (and was sorely inaccurate).
TKWITS from the diagram above the first router "Router 0" was put in place by a vendor. They wanted to segment their network away from my network and this was their solution. My main connection come from my ISP to Router 0 and then to my SonicWALL, and from the SonicWALL is really where I start controlling the network. The SonicWALL run DHCP and is setup with the IP Range 192.168.1.1 just like a home network and the Ubiquiti Switch and everything connected to it runs on that 192.168.1.1 subnet. That subnet probably has around 65 devices running on it total right now including all workstations, servers, a copier and a printer, the access control system for the building, the radio network switch and ASA Gateway are all connected to this one Ubiquiti switch. So right now if you were to see the network diagram you would basically have the SonicWALL -- Ubiquiti Switch and from there you would split off to the radio switch, ASA, Switch 4 and everything would be on the same subnet.
The Guest network is the guest Wi-Fi for the building, a couple computers in a conference room that are for general use to anyone the building, and that's about it. The reason I had a router for the guest network was to change the subnet to 192.168.2.1. I wasn't for sure if I could just plug a switch up to the guest interface on my SonicWALL and assign it a scope of 192.168.2.1/24 or if I had to have a router for that so there's an old router setting there with that IP Range programmed into it.
As far as VLANing, I would love to do VLANs but in the past I've been unsuccessful in doing this. I used HP Procurve switches back in the day and I could go in and tag ports on the switch as VLANs but I never could get any traffic to pass on the ports after I set the VLAN up. I believe this was because of configuration in the router I had at the time. I understand setting up the VLANs on the switch but getting the VLAN traffic to pass through the router is what was confusing me, and I finally had to give up on learning about it.
SAM I believe I understand everything you explained. I went out online to find a SonicWALL video explaining the DMZ and VLAN setup. The virtual interface is the step I believe I skipped when trying to setup VLANs previously. From what I'm gathering in the video I watched I setup zones for the different segment groups within my network and then setup virtual interfaces for those zones. I can then go in and make sure DHCP is setup for those VLANs.
VLANing can be tough when switch vendors do their own thing, but once you understand what all equipment is expecting (tagged or untagged traffic) then it gets easier.
"From what I'm gathering in the video I watched I setup zones for the different segment groups within my network and then setup virtual interfaces for those zones. I can then go in and make sure DHCP is setup for those VLANs."
Thats essentially step one; configuring your router/firewall with the VLAN interfaces (or virtual interfaces as Sonicwall calls them). Step two is getting your switch(es) to send the VLAN traffic to the router/firewall appropriately.
Start with something pretty easy: a new zone, a new virtual interface (VLAN), and a DHCP range on that VLAN on the Sonicwall. Then create the same VLAN on the Ubiquity (I do not recommend using the Wizard, do things manually until you get a good understanding). Identify the switchport on the Ubiquity that uplinks to the Sonicwall and set that as a 'trunk' (which means it tags all non-native VLANs on outbound traffic and expects tags on inbound). Pick an unused port on the Ubiquity to test with, set that switchport as 'access' on the new vlan (which means it does NOT tag traffic with the specified VLAN on outbound traffic and does NOT expect tags on inbound), connect a laptop to the switchport and verify you get a DHCP address on the correct subnet.
If you can get that far you are off to a very good start.
I know its been a while since I last commented but I was just now able to try to setup a DMZ and let me tell you what I've run into.
I've got my primary LAN on X0. My WAN on X1, Guest Network on X6 and my DMZ set to X5.
Primary LAN 192.168.100.1, Guest Network 192.168.200.1, and I set the DMZ subnet to 126.96.36.199
I have the access rules setup to deny traffic from the DMZ to the LAN/Guest, but allow from the LAN/Guest to the DMZ. I plugged in a dumb switch and plugged in a laptop and copier to test and I never received an IP Address. I'm not for sure if DHCP has to be configured for the DMZ or something but it never would hand out an IP for the copier or laptop. I then plugged in a small router into the X5 interface that was configured with the subnet and it still did not receive an IP.
I then went in and changed the interface zone to LAN and to guest to see if it was something with the zone and how it was setup and still I never received an IP Address. I checked the cabling and I tested a switch and a router and still nothing.
Can anyone thinking of something I did wrong here?