beautypg.com

Configuring security zones, Overview – H3C Technologies H3C SecPath F1000-E User Manual

Page 34

background image

24

Configuring security zones

You can configure security zones only in the Web interface.
To use an interface as a service interface, you must add it to a security zone that is not the management

zone before configuring relevant service functions.

Overview

Traditional firewall/router policies are configured based on packet inbound and outbound interfaces on

early dual-homed firewalls. With the development of firewalls, they can not only connect the internal and

external network, but also connect the internal network, external network, and the Demilitarized Zone
(DMZ). Also, they are providing high-density ports. A high-end firewall can provide dozens of physical

interfaces to connect multiple logical subnets. In this networking environment, traditional interface-based

policy configuration mode requires configuration of security policies for each interface, which brings

great working loads for administrators, and thus increases probability for introducing security problems
because of configurations.
Different from the traditional interface-based policy configuration mode, the industry-leading firewalls

solve the above problems by configuring security policies based on zones. A zone is an abstract

conception, and you can classify zones in two ways:

Interface-based. A zone can include physical interfaces and logical interfaces, and also Trunk
interface + VLAN. Interfaces added to the same zone have consistent security needs in security
policy control.

IP-address-based. You can classify zones based on IP addresses to control security policies
according to the source IP address or destination IP address of service packets.

NOTE:

DMZ is originally a military term, which refers to the boundary between two or more military powers,
where military activity is not permitted. A DMZ in a network is an area separated with the internal and
external networks both logically and physically. Typically, a DMZ contains devices accessible to the

Internet, such as Web servers and FTP servers.

If a service packet can match a zone either based on interface or on IP address, the zone matched based
on the interface is adopted.

With the zone concept, security administrators can classify interfaces or IP addresses (assign them to

different zones) based on their security needs, thus implementing hierarchical policy management. For

example, the administrator can add the four interfaces on a firewall that connect to different subnets in
the research area to Zone_RND, and the two interfaces connecting the servers to Zone_DMZ, as shown

in the following figure. In this way, the administrator only needs to deploy the security policies between

the two zones. If the network changes in the future, the administrator only needs to adjust the interfaces

in a certain zone, without modifying the security policies. Therefore, with the concepts of zone, not only
the policy maintenance is simplified, but also network services and security services are separated.