Understanding Security Zones

This section describes the security zone mechanism.

Security Zones

A security zone is a set of the networks connected by interfaces. Users on these networks have the same security attributes.

The FW considers that data flows within a single security zone are trustful and require no security policy. The FW enforces security policies only on data flows between security zones.

The security level value ranges from 1 to 100. The larger the value, the higher the security level.

Table 1 lists default security zones on the FW.

The default security zones cannot be deleted, and their priorities cannot be reconfigured or deleted.

You can create security zones and specify their security levels as needed.

**Table 1** Default security zones
Zone Name	Security Level	Description
untrust zone	5	Defines insecure networks, such as the Internet.
dmz	50	Short for demilitarized zone. It is an area in which intranet servers reside. Intranet servers are frequently accessed by extranet devices but cannot proactively access the extranet, which causes huge security risks. These servers are deployed in a dmz with a lower level than a trust zone but a higher level than an untrust zone. NOTE: A dmz is an intermediate zone between a military zone and a public zone. A dmz zone configured on a FW is logically and physically separated from internal and external networks. Devices that provide network services for external users are deployed in a dmz zone. These devices include WWW and FTP servers. The servers run security risks if they are placed on an external network. If the servers are placed on an internal network, their security vulnerabilities may provide an opportunity for external malicious users to attack the internal network. The dmz zone is developed to solve the preceding problems.
trust zone	85	An area in which intranet terminal users reside.
local area	100 (highest)	A local zone is a device itself, including interfaces on the device. All packets constructed on and proactively sent from the device are regarded as from the local area; those to be responded and processed by the device (including the packets to be detected or directly forwarded) are regarded as to the local area. Users cannot change local area configurations, for example, adding interfaces to the local area. NOTE: A security policy for exchanging packets between the local zone and the security zone of a peer can be configured in the following scenarios: A local device itself requires management using Telnet, web, or SNMP NMS. A local device serves as a client to initiate requests or as a server to processes requests in the FTP, PPPoE dial-up, NTP, or IPSec VPN scenario. An interface is added to a security zone. A network connected to the interface is in the security zone, and the interface is in the local zone.

Security Interzone and Directions

A security interzone describes a single traffic transmission channel that connects security zones. A security policy is used to control traffic that passes along a channel. A security policy delivered to an interzone takes effect on traffic that passes along the interzone, but not on traffic traveling within the interzone.

An interzone connects any two security zones. An interzone provides a specific view, in which firewall configurations are performed.

Traffic travels through an interzone in the following directions:

Inbound: An interzone forwards traffic from a lower-level security zone to a higher-level security zone.
Outbound: An interzone forwards traffic from a higher-level security zone to a lower-level security zone.

For example, a client in a trust zone sends the first packet to request for an HTTP connection to a web server in an untrust zone with a security level lower than that of the trust zone. The FW considers that the packet is transmitted in the outbound direction and uses an outbound security policy to determine whether to permit or deny the packet. After the HTTP connection is successfully established, the FW creates a session table, which records the 5-tuple of the connection in a session entry. The 5-tuple includes the source and destination IP addresses, source and destination port numbers, and protocol type.

If packets exchanged between the client and web server match the 5-tuple, the FW processes the packets based on the outbound security policy, without re-checking the packet transmission direction.

If a user only enables an outbound security policy for trust-to-untrust traffic in an interzone, the following situations occur:

A terminal in a trust zone proactively initiates a connection to another terminal in an untrust zone. Packets replied by the untrust zone can pass through the interzone.
Terminals in an untrust zone can only receive requests for connections initiated by terminals in a trust zone.