Configuring Egress Network Security
Context
Firewalls are typically used as security devices on the campus network border to secure the network border. Security zones (or zones) are defined on a firewall. A security zone is collection of networks connected through one or more interfaces. Users in a zone have the same security attributes. Most security policies are implemented based on security zones. Each security zone identifies a network, and a firewall connects networks. Firewalls use security zones to divide networks and mark the routes of packets. When packets travel between security zones, security check is triggered and corresponding security policies are enforced.
Typically, three security zones (trusted zone, DMZ, and untrusted zone) are defined in scenarios with a small number of networks and a simple environment. The security zones are described as follows:
- Trusted zone: refers to the network of internal users.
- DMZ: demilitarized zone, which refers to the network of internal servers.
- Untrusted zone: refers to untrusted networks, such as the Internet.
Table 5-28 shows the recommended security policy design for common zones.
Access Zone |
Access Source |
Trustworthiness |
Recommended Security Policy |
|---|---|---|---|
Internet |
External users |
Untrusted |
Intrusion detection, URL filtering, and antivirus |
Employees on the go |
Medium |
||
WAN |
Enterprise branch |
Medium |
Intrusion detection and antivirus |
Intranet |
Enterprise employees |
High |
Intrusion detection and antivirus |
Guests |
Low |
Procedure
- Choose Policy > Security Policy > Security Policy. In the Security Policy List area, click Add Security Policy to create a security policy.
