NetEngine AR5700, AR6700, and AR8000 V600R023C00 Configuration Guide - Security Configuration
Understanding Security Zones
Security zones on devices are classified into predefined security zones and customized security zones. The priority of a security zone ranges from 1 to 100. A larger value indicates a higher priority. You can use the predefined security zones on devices (see Table 3-1) or customize security zones based on your site requirement and assign priorities to them. For example, as shown in Figure 3-1, the public zone network is added to the customized security zone 1 with the priority of 30.
The MEth management interface, for example, MEth 0/0/0 in Figure 3-1, does not belong to any security zone and cannot be added to any security zone. An interface can be added to only one security zone. You can run this command multiple times in a security zone to add multiple interfaces to the security zone. (As shown in Figure 3-1, each interface, except the management interface, is added to only one security zone, and the two interfaces are added to the trust security zone, with one corresponding to office area 1 and the other corresponding to office area 2.)
Security Zone |
Priority |
Description |
|---|---|---|
Untrust |
5 (low security level) |
Defines insecure networks, such as the Internet. |
DMZ |
50 (medium security level) |
Defines the zone where intranet servers reside. These devices such as WWW servers and FTP servers provide services for extranet devices. Therefore, they are frequently accessed by extranet devices. Malicious users may exploit security vulnerabilities of these devices to attack the intranet. In addition, these devices are not allowed to proactively access the extranet so they need to be deployed in a security zone with a priority lower than the Trust zone and higher than the Untrust zone. NOTE:
A DMZ is originally a military term, referring to a partially controlled area between a military control area and a public area. A DMZ configured on a device is logically and physically separated from intranets and extranets. |
Trust |
85 (high security level) |
It is usually used to define the zone where the intranet terminals reside. |
Local |
100 (highest security level) |
Defines a device itself, including the interfaces on the device. All packets constructed on and proactively sent from the device are considered to be sent from the Local zone, and the packets to be responded and processed by the device (including the packets to be detected or immediately forwarded) are considered to be received by the Local zone. NOTE:
Adding an interface to a security zone means configuring the network connected to the interface to be part fo the security zone, but the interface still belongs to the Local zone. A security policy can be configured to permit packet exchange between the Local zone and the security zone of a peer in the following scenarios:
|