Do you have a recommendation on how to apply Zones to Cameras and Unifi Access devices? It seems like there is one key protection needed: stop those devices from talking to computer's, iPhones, etc. on the internal network, in case they get compromised, and a secondary protection would be to stop them from talking to the Internet. But in implementing these we need to keep the camera's and Access devices access to the UDM Pro Max to keep functioning correctly with Protect and Access software on the UDM Pro Max. (I see from searching on this topic that I am one of many trying to solve this same problem.) Thanks!
Hi! I would recommend having a few zones, which include a guest, IOT, untrust, trust, and DMZ. The IOT and guests are pretty self-explanatory. They would be allowed out to the internet, and nothing internal (although you could restrict them to only talk to their homes (i.e. Amazon, Azure, etc.). The internal would include your PCs, laptops, smart phones, and internal servers. I would keep separate networks for your servers and PCs, but they can be in the same zone. The DMZ would include VPN users and servers that face the internet. Untrust would primarily be your internet/WAN connection. I would create separate networks for everything and apply intra-zone policies within each zone. I would also set all my policies to explicitly allow what I want only and deny everything else. I like going with more of a zero trust model and not just allowing things to talk by default. That's just a quick explanation, though. You can get far more in-depth based on your needs.
Cameras would probably fall in the IOT zone, however, on their own network, and I wouldn't allow those out at all. They would get an explicit deny right at the top of the Access policy for their network within that zone, but below the permit rule to the NVR, UDM pro, etc.
With all the issues you have found with upgrading to Zones, this shows a clear case why everyone should NOT upgrade to it yet! Also, for people not too familiar with the UniFi ecosystem, moving to Zone-based just confuses everybody.
It's less confusing for those familiar with other firewall products like Fortinet, Palo Alto, Cisco, etc. I also found zone-based easier to learn when I was first introduced to firewalls. Unifi, on the other hand, was far more confusing. However, you are correct in not upgrading for those who are using these devices in a production environment. I couldn't imagine trying to clean up those rules and zones on a production network with multiple sites, VPNs, etc., during a change window 🤣.
Do you have a recommendation on how to apply Zones to Cameras and Unifi Access devices? It seems like there is one key protection needed: stop those devices from talking to computer's, iPhones, etc. on the internal network, in case they get compromised, and a secondary protection would be to stop them from talking to the Internet. But in implementing these we need to keep the camera's and Access devices access to the UDM Pro Max to keep functioning correctly with Protect and Access software on the UDM Pro Max. (I see from searching on this topic that I am one of many trying to solve this same problem.) Thanks!
Hi! I would recommend having a few zones, which include a guest, IOT, untrust, trust, and DMZ. The IOT and guests are pretty self-explanatory. They would be allowed out to the internet, and nothing internal (although you could restrict them to only talk to their homes (i.e. Amazon, Azure, etc.). The internal would include your PCs, laptops, smart phones, and internal servers. I would keep separate networks for your servers and PCs, but they can be in the same zone. The DMZ would include VPN users and servers that face the internet. Untrust would primarily be your internet/WAN connection. I would create separate networks for everything and apply intra-zone policies within each zone. I would also set all my policies to explicitly allow what I want only and deny everything else. I like going with more of a zero trust model and not just allowing things to talk by default. That's just a quick explanation, though. You can get far more in-depth based on your needs.
Cameras would probably fall in the IOT zone, however, on their own network, and I wouldn't allow those out at all. They would get an explicit deny right at the top of the Access policy for their network within that zone, but below the permit rule to the NVR, UDM pro, etc.
@@techlogiclounge thank you. I will give this a try.
With all the issues you have found with upgrading to Zones, this shows a clear case why everyone should NOT upgrade to it yet! Also, for people not too familiar with the UniFi ecosystem, moving to Zone-based just confuses everybody.
It's less confusing for those familiar with other firewall products like Fortinet, Palo Alto, Cisco, etc. I also found zone-based easier to learn when I was first introduced to firewalls. Unifi, on the other hand, was far more confusing. However, you are correct in not upgrading for those who are using these devices in a production environment. I couldn't imagine trying to clean up those rules and zones on a production network with multiple sites, VPNs, etc., during a change window 🤣.