Configuring security zones, Overview, Basic concepts – H3C Technologies H3C SecBlade LB Cards User Manual

5

Configuring security zones

Overview

In traditional firewall security policy applications, a firewall connects an internal network and an external

network and firewall security policies are deployed on inbound and outbound interfaces. With the
development of firewall technologies, a firewall is now connecting the DMZ as well as the internal

network and external network, and tends to provide more interfaces (for example, over ten physical

interfaces) to connect more network segments. Deploying security policies on each interface is not only

difficult, but also increases the possibility of configuration errors. The zone-based security policy method
can solve this problem effectively.
The zone-based security policy method is the current mainstream solution in the industry. This method

allows you to group interfaces or IP addresses into security zones by their security requirements, and

deploy security policies for the zones, dramatically simplifying security policy deployment and
maintenance.

Basic concepts

•

Security zone
A security zone can be a collection of common Layer 3 physical interfaces and logical interfaces,
and Layer 2 physical trunk interfaces (with their VLANs). Interfaces in the same security zone share

the same security requirements.
A security zone can also be a collection of IP addresses. Such a security zone allows you to
implement security control by source IP address or destination IP address.
If you classify security zones by both interface and IP address and a packet matches different
security zones by the two criteria, the security zone matched by interface takes precedence.

•

DMZ
The term "DMZ" originally referred to a zone whose security requirements are lower than those of
the militarized zone but higher than those of a common zone. In this industry, a DMZ is a zone that

is separate from the internal network and the external network both logically and physically. Its
security requirements are lower than those of the internal networks but higher than those of the

external networks. Usually, a DMZ comprises devices for the public to access, such as the WWW

server and FTP server.

Zone-based security policy application example

Suppose that there are four network segments for the R&D department of your enterprise and two

network segments for the servers. With the zone-based security policy method, you only need to place

the four firewall interfaces connected to the R&D department into one security zone (Zone_RND), and the
two firewall interfaces connected to the servers into another security zone (Zone_DMZ), and deploy a

single security policy between the two zones. This method not only reduces the configuration and

maintenance load, but also implements separation of security services from normal network services.