Configuring security zones, Overview – H3C Technologies H3C SecPath F1000-E User Manual
Page 34
24
Configuring security zones
You can configure security zones only in the Web interface.
To use an interface as a service interface, you must add it to a security zone that is not the management
zone before configuring relevant service functions.
Overview
Traditional firewall/router policies are configured based on packet inbound and outbound interfaces on
early dual-homed firewalls. With the development of firewalls, they can not only connect the internal and
external network, but also connect the internal network, external network, and the Demilitarized Zone
(DMZ). Also, they are providing high-density ports. A high-end firewall can provide dozens of physical
interfaces to connect multiple logical subnets. In this networking environment, traditional interface-based
policy configuration mode requires configuration of security policies for each interface, which brings
great working loads for administrators, and thus increases probability for introducing security problems
because of configurations.
Different from the traditional interface-based policy configuration mode, the industry-leading firewalls
solve the above problems by configuring security policies based on zones. A zone is an abstract
conception, and you can classify zones in two ways:
•
Interface-based. A zone can include physical interfaces and logical interfaces, and also Trunk
interface + VLAN. Interfaces added to the same zone have consistent security needs in security
policy control.
•
IP-address-based. You can classify zones based on IP addresses to control security policies
according to the source IP address or destination IP address of service packets.
NOTE:
•
DMZ is originally a military term, which refers to the boundary between two or more military powers,
where military activity is not permitted. A DMZ in a network is an area separated with the internal and
external networks both logically and physically. Typically, a DMZ contains devices accessible to the
Internet, such as Web servers and FTP servers.
•
If a service packet can match a zone either based on interface or on IP address, the zone matched based
on the interface is adopted.
With the zone concept, security administrators can classify interfaces or IP addresses (assign them to
different zones) based on their security needs, thus implementing hierarchical policy management. For
example, the administrator can add the four interfaces on a firewall that connect to different subnets in
the research area to Zone_RND, and the two interfaces connecting the servers to Zone_DMZ, as shown
in the following figure. In this way, the administrator only needs to deploy the security policies between
the two zones. If the network changes in the future, the administrator only needs to adjust the interfaces
in a certain zone, without modifying the security policies. Therefore, with the concepts of zone, not only
the policy maintenance is simplified, but also network services and security services are separated.