NetworkTools
Sign In
1ACLs2Zone Firewalls3IPsec4SSL VPN5802.1X6IDS/IPS7PKI
← Back to Network Security

Learning Objectives

  • Understand the security zone model
  • Differentiate zone-based from classic firewalls
  • Configure zone-pair policies
  • Design zone topologies with inspection rules

The Security Zone Concept

A security zone is a logical grouping of interfaces that share a common security level. Inside your network, you might have a zone called INSIDE for trusted user traffic and a zone called OUTSIDE for the internet. Traffic between zones is subject to configured policies, while traffic within the same zone is implicitly permitted.

This is fundamentally different from classic ACL firewalls, where each interface has independent inbound/outbound rules. With zone-based firewalls, you define zone-pairs and apply inspection policies to traffic moving between them.

Zone-Based Policy Framework

Think of zone-pairs as one-way streets. A zone-pair from INSIDE to OUTSIDE defines what traffic is allowed to leave the internal network. A separate zone-pair from OUTSIDE to INSIDE defines what is allowed to enter. This bi-directional model gives you two independent policy control points.

Zone-based firewalls use Stateful Packet Inspection (SPI) — they track connection state and automatically permit return traffic without explicit rules. This eliminates the tedious task of writing ACL entries for every possible return flow.

Zone-Pair Policy Configuration

Create security zones, assign interfaces, and define zone-pair policies.

Preview
zone security {zone-name}
interface {iface}
zone-member security {zone-name}
zone-pair security {pair-name} source {src-zone} destination {dst-zone}
service-policy type inspect {policy-name}

A Common Topology

Three-Zone Firewall Design

TrustedInspectINSIDE (Trust)FirewallOUTSIDE

When the firewall inspects traffic from INSIDE to OUTSIDE, it creates a state table entry. Return packets matching that state table are permitted automatically — no explicit permit needed. This stateful behavior is what makes zone-based firewalls far more manageable than stateless ACLs.

A well-designed zone topology typically includes three zones: INSIDE (trusted users), DMZ (public servers), and OUTSIDE (the internet). Traffic from INSIDE to DMZ is permitted selectively, while INSIDE to OUTSIDE is inspected with NAT.

How does a zone-based firewall handle return traffic?

Key Takeaways

  • Security zones group interfaces by trust level
  • Zone-pairs define one-way traffic policies between zones
  • Stateful inspection eliminates the need for explicit return-ACL rules
  • Self-zone traffic (traffic to the firewall itself) is controlled separately
  • Traffic within the same zone is implicitly permitted by default
  • A classic three-zone design uses INSIDE, DMZ, and OUTSIDE
PreviousACLsNextIPsec