Security Context Overview
Within a single Security Appliance, a security administrator can create more then one
security context (see Figure 9-1). Each context uses a separate configuration that describes
the security policy, assigned interfaces, and options that the security context manages. This
reduces the amount of equipment, cost, rack space, and administrative duties that a security
department would normally incur if each department required a separate firewall unit.
Figure 9-1 Multiple Security Contexts
Multiple Security Contexts
Each security context configuration is stored in a separate file that can be saved on the local
Flash RAM drive or accessed from a remote location using TFTP, FTP, or HTTP(S).
Multiple security contexts should be used in the following scenarios:
■ A large enterprise company or campus with a requirement to completely separate each
department.
■ An enterprise that requires unique security policies for each department.
■ An Internet service provider (ISP) that wishes to sell security and firewall services to
multiple companies.
■ A network that requires more than one firewall.
Although security contexts give a security administrator more flexibility when designing a
security platform, a few features are not supported within a security context when enabled
in multiple context mode:
■ Dynamic routing protocols such as OSPF or RIP. Only static routes are supported.
■ VPNs.
■ Multicasts.
For the Security Appliance to route traffic flows through the appropriate security context, the
Security Appliance must first classify the traffic flow based on the contents of the flow
packets. Using two characteristics of the packets within the flow, the Security Appliance
classifies the packets based on which characteristic is unique to the Security Appliance
contexts and is not shared across them. The two characteristics that the Security Appliance
checks for are these:
■ Source interface (VLAN)
■ Destination address