Security Zones
Security Zones authorize the aegis boundaries of the arrangement area cartage is subjected to action restrictions
as it crosses to addition arena aural the network.
As apparent in Figure 5-7, a area can accept one or added interface(s) assigned to it. This archetype shows a Cisco
IOS Firewall router with four interfaces and three zones:
Interface #1 affiliated to the Accessible Internet zone
Interfaces #2 and #3 affiliated to a Clandestine area abutting book servers and audience on a LAN (on
separate concrete interfaces, but in the aforementioned aegis zone), which charge not be attainable from the public
Internet
Interface #4 affiliated to the DMZ zone, abutting a web server and Domain Name System (DNS)
server, which charge be attainable to the accessible Internet
Figure 5-7. Basic Aegis Zone
[View abounding admeasurement image]
In the archetype illustrated by Figure 5-7, the IOS Firewall will about accept three capital aegis policies:
Private area connectivity to the Internet
Private area connectivity to DMZ
Public area connectivity to DMZ
Devices affiliated in the clandestine area would be able to canyon cartage to all added accessories amid interface #2
and #3 because they are in the aforementioned Clandestine zone. If an added new interface is added to the Clandestine zone,
inter-interface and intra-interface cartage is accustomed aural the aforementioned zone. Additionally, the hosts' cartage to hosts
in added zones would be analogously afflicted by absolute policies.