Our organizational IT environments are constantly changing, driven by factors such as telecommuting, cloud technologies, and BYOD (Bring Your Own Device) policies. This requires modular and dynamic architectures in place, allowing flexibility while still maintaining a rigid security posture. One of the most foundational ways to accomplish this is through the use of network security zones, which we'll take a look at in this blog post. We'll cover common security zone types, and also zone filtering policy considerations for each.
A security zone is a portion of a network that has specific security requirements set. Each zone consists of a single interface or a group of interfaces, to which a security policy is applied. These zones are typically separated using a layer 3 device such as a firewall.
In a very broad sense, a firewall is used to monitor traffic destined to and originating from a network. Traffic is either allowed or denied based on a pre-determined set of rules called an access control list, or ACL for short. Although there are many different types of firewalls, a firewall must have the following properties:
The number of networks we can create on a firewall depends on the number of physical ports available. Generally speaking, a standard firewall implementation involves separating trusted traffic and untrusted traffic. Proper firewall implementation creates two basic security zones, known as inside and outside.
The inside or trusted zone is also referred to as the private zone. As the name implies, this zone contains assets and systems that should not be accessed by anyone outside of the organization. This includes user workstations, printers, non-public servers, and anything else that considered to be an internal resource. Devices found here have private IP addresses assigned in the network.
The outside or untrusted zone is also known as the public zone. This zone is considered to be outside the control of an organization and can be thought of as simply the public internet.
The third basic security zone is called the DMZ, or demilitarized zone. Resources in the DMZ require external access from the outside zone. It is common to see public-facing servers in the DMZ, such as email, web, or application servers. A DMZ allows public access to these resources without putting the private, inside zone resources at risk.
In the case of network security zones, a firewall enforces the access control policy, determining which traffic is allowed to pass between the configured zones. With this common three-zone implementation, there are several recommended zone filtering policies that should be in place:
All the best,