5.18. Module Zone

This module defines the Zone class.

Zones are the basis of access control. A zone consists of a set of IP addresses, address ranges, or subnet. For example, a zone can contain an IPv4 or IPv6 subnet.

Zones are organized into a hierarchy created by the administrator. Child zones inherit the security attributes (set of permitted services etc.) from their parents. The administrative hierarchy often reflects the organization of the company, with zones assigned to the different departments.

When it has to be determined what zone a client belongs to, the most specific zone containing the searched IP address is selected. If an IP address belongs to two different zones, the most specific zone is selected.

Example 5.47. Finding IP networks

Example 5.47. Finding IP networks
Suppose there are three zones configured: `Zone_A` containing the `10.0.0.0/8` network, `Zone_B` containing the `10.0.0.0/16` network, and `Zone_C` containing the `10.0.0.25` IP address. Searching for the `10.0.44.0` network returns `Zone_B`, because that is the most specific zone matching the searched IP address. Similarly, searching for `10.0.0.25` returns only `Zone_C`. This approach is used in the service definitions as well: when a client sends a connection request, the most specific zone containing the IP address of the client is looked up. Suppose that the clients in `Zone_A` are allowed to use HTTP. If a client with IP `10.0.0.50` (thus belonging to `Zone_B`) can only use HTTP if `Zone_B` is the child of `Zone_A`, or if a service definition explicitly permits `Zone_B` to use HTTP.

Suppose there are three zones configured: Zone_A containing the 10.0.0.0/8 network, Zone_B containing the 10.0.0.0/16 network, and Zone_C containing the 10.0.0.25 IP address. Searching for the 10.0.44.0 network returns Zone_B, because that is the most specific zone matching the searched IP address. Similarly, searching for 10.0.0.25 returns only Zone_C.

This approach is used in the service definitions as well: when a client sends a connection request, the most specific zone containing the IP address of the client is looked up. Suppose that the clients in Zone_A are allowed to use HTTP. If a client with IP 10.0.0.50 (thus belonging to Zone_B) can only use HTTP if Zone_B is the child of Zone_A, or if a service definition explicitly permits Zone_B to use HTTP.

Example 5.48. Zone examples
The following example defines a simple zone hierarchy. The following zones are defined: internet: This zone contains every possible IP addresses, if an IP address does not belong to another zone, than it belongs to the internet zone. office: This zone contains the `192.168.1.0/32` and `192.168.2.0/32` networks. management: This zone is separated from the office zone, because it contans an independent subnet `192.168.3.0/32`. But from the administrator's view, it is the child zone of the office zone, meaning that it can use (and accept) the same services as the office zone. DMZ: This is a separate zone. Zone('internet', ['0.0.0.0/0', '::0/0']) Zone('office', ['192.168.1.0/32', '192.168.2.0/32']) Zone('management', ['192.168.3.0/32']) Zone('DMZ', ['10.50.0.0/32'])

Example 5.48. Zone examples

The following example defines a simple zone hierarchy. The following zones are defined:

internet: This zone contains every possible IP addresses, if an IP address does not belong to another zone, than it belongs to the internet zone.
office: This zone contains the 192.168.1.0/32 and 192.168.2.0/32 networks.
management: This zone is separated from the office zone, because it contans an independent subnet 192.168.3.0/32. But from the administrator's view, it is the child zone of the office zone, meaning that it can use (and accept) the same services as the office zone.
DMZ: This is a separate zone.

Zone('internet', ['0.0.0.0/0', '::0/0'])
Zone('office', ['192.168.1.0/32', '192.168.2.0/32'])
Zone('management', ['192.168.3.0/32'])
Zone('DMZ', ['10.50.0.0/32'])

Previous	Up	Next
	Home

Zorp GPL 7 Reference Guide

Chapter 5. Core

5.18. Module Zone