Zones as a hierarchial structure
To really grok how the “network security zone” structure is innately hierarchical, we need to more fully conceptualizing what the “transit zone” *is (in ralation to the other zones).
Re-visiting the “network security zone” concept
Trusted or Un-Trusted: That is the question(?)
In the simplest conceptual model for network-security zones, there are only two classifications: “trusted”, and “un-trusted”. In that model, you own/control/operate the “trusted” zone, and some other group operates the un-trusted zone. If two networks with separate owners/operators want to connect, but regard each other as “un-trusted”, the most direct solution is the “back-to-back-firewalls” topology. From your perspective, your firewall and everything on your side of it are “trusted” and everything on the other side is “untrusted.” From the other network’s perspective, the situation is reversed. They regard their firewall and everything on their side of as “trusted”, and everything on the other side as “untrusted.”
What about the network between the two firewalls, though? Neither of the two parties in this scenario regards that segment of the network as trusted (hence the “no-man’s land” moniker.) In that scenario, if you (and the other network’s owner) wanted to also connect to multiple additional (separately administered; mutually un-trusted) networks, it would be more efficient for you to all share that no-man’s-land region for mutual interconnection. The “transit” zone we’ve been discussing is that multi-party no-man’s-land.
The no-man’s land framework does raise a new question though:
Who is responsible for the no-man’s-land / “transit zone”?
When I said that neither party regarded the no-mans’s land as “trusted”, I didn’t address who administers the no-man’s-land. The original two parties might cooperatively adminsiter the no-man’s-land, or might a a mutually acceptable third-party to do so. In the latter case, that third party might regard it as “trusted”, because it is under their control. They might also regard it as “un-trusted” because they can’t control what gets into (or out of) it through all those other organizations’ firewalls. (That binary “trusted/untrusted” model doesn’t deal well with shades-of-grey.)
Shades of Gray
Instead of a binary (trusted/un-trusted) though, we might use a range of values to denote the level of trust we assign to a specific zone, or we might throw “trust” out the window and decide that shared risk profile or shared failure domains is a more desirable principal for grouping nodes into security zones.
It is also worth considering that we (as owners/operators of the network) can assign some level of trust to the transit-zone. In the context of the framework we’re developing, “we” are in control of all of the zones and there is nothing inherently untrustworthy/risky about the transit-zone itself. (It is populated only with what we choose to put there, after all.)
Hierarchical relationship of transit zone (zone “0”) to other zones
In terms of how the network/graph is constructed, it doesn’t really matter whether we consider a “zone” be defined by a shared level of trust, or a shared risk-profile (or the last 7 bits of its route-distinguisher). Whatever grouping-principal we apply to select the nodes in a security zone, the new rules of inference that our “transit zone” construct introduce to our grap are
- Edges may connect any two nodes in the same zone
and
- Edges may connect any node (A) in a transit-zone to a node (B) in any other (non “transit zone”) security zone only if that node (B) is a stateful-nodes.
Inspecting our reference topology, we can see that those rules of inference have not been violated, and that the structure/pattern of the relationships between the zones is a “tree”, with the transit zone as the root. The transit-zone then, is the root of our security-zone tree, and the other security-zones we’ve defined have a depth of 1 (in the security-zone tree.)
The figure below depicts the zone hierarchy of our reference topology as an overlay on the reference-topology graph, in which each node of the overlay zone graph “contains” the collection of all underlay graph nodes with identical “zone” values.
This zone overlay graph is a rooted tree, of which the “transit zone” (0) overlay node is the root node. Zone-0 is the parent (and an ascendent) of zones 0.1, 0.2, and 0.3, which are, in turn children (and descendents) of zone 0 and “siblings” of each other. Zones 0.1, 0.2, and 0.3 are “leaves” of the tree (because they have no children.)
Depicting hierarchical “zone” structures in the graph
So, how does this pattern recurse if we want to add descendent zones to the current leaf-zones? With the transit-zone (zone-0) as the root of our zone-tree, our reference topology has three additional zones (all children of zone 0): zone 0.1, zone 0.2, and zone0.3. Applied recursively, each of those zones may act as a transit-zone/parent for any sub-zones they contain.
The following figure depicts the reference topology, modified to add two new child zones to zone 0.1, and two new child-zones to zone 0.3. (The latter two each have their child-zones.
In this modified graph, we have increased the depth of the zone tree from one to three.
“Zone Depth” (ZD) to refer to the number of parent-child relationships between a node’s zone and the root/top level of the zone-hierarchy. Or, more formally, as the number of edges on the path from a node to the root of the zone tree. The most significant design-decision at this point is whether the edges connecting a parent-zone to child-zone should to terminate on a stateful node on either end.
Do zone-depth-traversing edges connect nodes that are stateful or nodes that are stateless?
The initial pattern we are using as the basis for recursion calls for edges between the parent (“0”/”transit”) zone its it child-zones (“0.1”, “0.2”, “0.3”) to land on stateful nodes in the child-zone, and stateless nodes in the parent-zone. We carry that pattern forward here.
Stateful nodes in the child-zone node of a zone-depth-traversing edge
Our definition of a security zone is based on paths in/out of the zone passing through a stateful node in that zone. Hence, a zone-depth-traversing edge must terminate on a stateful node.
Stateless nodes in the parent-zone.
Relative to the child-zones, the nominal purpose of the parent-zone is to provide a path between its child-zones. The stateful nodes on the “child-zone-side” of each partent/child-zone are “protecting” the nodes within the child-zone, and the nodes within the parent-zone are concurrently protected by those same stateful-edges. Adding a stateful edge to the parent-zone side would only duplicate the existing controls on the child-side edge.
At this point, it would be entirely reasonable to say: “well, yes… at the top of the zone-hierarchy (the data-plane of the multi-zone firewall in the preamble of this paper), there’s an implicit trust that the parent/transit zone is “secure”, but why should that presumption carry through to lower zone-depths?
The answer to that is: I have no idea if it should or shouldn’t; that would be a highly context-dependent decision based on the real-world dynamics you want to model in your graph. If you don’t cary it forward, and you decide to have the parent-node of a zone-depth-traversing edge be a stateful node, you’d be better served with two zones at the same level of the zone-hierarchy. This is because the only real benefit inherent to a hierarchical zone structure is that the stateful-nodes of the parent zone are spared from having to process traffic between the sub-zones. The following figure illustrates a set of zone-depth-2 zones (0.1.1, 0.1.2) attached to depth-1 zone 0.1’s stateful-node. It also illustrates two zone-depth-2 zones attached to a stateless node in their parent-zone (on the right side of the graph.)
Observation of the available paths quickly reveals that with the parent-side node of inter-zone-depth edges landing on a stateful node:
- Paths between neighbor child-zones must traverse three stateful nodes (rather than two)
- Paths between child-zone and parent zone must traverse two stateful nodes (rather than one)
And that with parent-side node of inter-zone edges landing on stateless nodes:
- Paths between neighbor child-zones must traverse two stateful nodes (rather than three)
- Paths between child-zone and parent zone must traverse one stateful node (rather than two)
Summary
When we attempt to reconcile the concept of a “transit zone” with that of a “network security zone”, it becomes apparent that:
The relationship between a “transit zone” and other network security-zones that it is connected to is a parent:child (one:many, hierarchical) one. How we define the term “network security zone” matters, with regards to whether recursive security zones is a cogent concept or not