Today, let's discuss the division and definition of firewall security zones, which will help us to be more clear in the future. If you have any good suggestions, please let me know.
What is firewall zone?
The firewall zone is also called a security zone or zone. It is a special feature of our security products. It is also implemented by invoking the security zone when the firewall implements security policies. In the firewall, all data packets are insecure by default. In this case, you can assign different interfaces to different security zones to configure different security policies for different security zones. Administrators can assign different network devices to different security zones. Of course, security zones are not fixed. You can customize security zones based on network requirements. In a security zone, there is also a priority. The priority ranges from 0 to 100. A larger value indicates a higher priority. If a packet is sent from a low-priority security zone to a high-priority security zone, the packet is referred to as the inbound direction. On the other hand, we can call it the outbound direction of the packet.
Classification of firewall zones
Local: Indicates the security zone where the firewall is located or packets destined for the firewall. For example, the device needs to access and manage the firewall. Both are security policies that allow the security zone where the device resides to be transferred to the Local zone. This area has the highest priority and does not need to be modified.
Trust: It is generally used to connect to the security zone where intranet devices are located. It is an area with a high priority. This area allows you to add interfaces and modify priorities.
Untrust: It is generally used to connect to the security zone where external devices, such as routers or front switches, are located. is a low-priority area. You can add interfaces and modify priorities in this area. We usually think this area is unsafe.
DMZ: This zone is used to connect to the security zone where the server resides. The security level of this zone is lower than that of the trust zone because the server is usually accessed by external devices. This area allows you to modify configurations, such as interfaces or priorities.
Other: This zone is used to customize new security zones. You can create security zones based on actual service requirements.
Proper use of firewall zones
Previously, we explained what security zones are and how security zones are divided. So, how do we use it properly? Perhaps, we can use an example to understand how to use the firewall correctly.
1. How Do I Configure Security Policies to Restrict Terminals from Logging In to the Firewall?
When a computer in the Trust zone is used to manage the firewall through SSH, related services, such as STelnet, are enabled on the interface. If we do not enable the access service management function under the interface, we can allow it through the interzone policy. In the firewall security policy, set Source Security Zone to trust, Destination Security Zone to local, and Allowed Protocol to SSH. Then we can manage firewalls by configuring security zones.
Name | test |
Source Zone | trust |
Destination Zone | local |
User | /all |
Action | permit |
Terminals in the Trust zone need to communicate with the Untrust server.
On the firewall, you can set the source security zone to the Trust zone and the destination zone to the Untrust zone. Configure the action of the two security zones to permit so that they can access each other.
In a firewall, it is very important to know and configure security zones. It is an important part of the firewall. If we don't use it correctly, we'll be disconnected from the network.
