About Security Zones
About Security Zones
A security zone is a group of interfaces to which
a security policy can be applied to control traffic between zones. For
ease of deployment, the Cisco ISA500 has several predefined zones with
default security settings to protect your network. You can create additional
zones as needed.
Each zone has an associated security level. The
security level represents the level of trust, from low (0) to high (100).
Default firewall rules are created for all predefined zones and your
new zones, based on these security levels. For example, by default all
traffic from the LAN zone (with a Trusted security level) to the WAN
zone (with an Untrusted security level) is allowed but traffic from the
WAN (Untrusted) zone to the LAN (Trusted) zone is blocked. You can create
and modify firewall rules to specify the permit or block action for specified
services, source and destination addresses, and schedules.
To learn more, see the Security Levels
and Predefined Zones table.
Security Levels and Predefined Zones
Security Level
Description
Predefined Zones
Trusted (100)
Highest level of trust.
By default, the DEFAULT VLAN is mapped to the predefined
LAN zone. You can group one or more VLANs into a Trusted zone.
LAN
VPN (75)
Higher level of trust than a public zone, but a
lower level of trust than a trusted zone.
This security level is used exclusively for VPN
connections. All traffic is encrypted.
VPN
SSLVPN
Public (50)
Higher level of trust than a guest zone, but a lower
level of trust than a VPN zone.
DMZ
Guest (25)
Higher level of trust than an untrusted zone, but
a lower level of trust than a public zone.
GUEST
Untrusted (0)
Lowest level of trust.
By default, the WAN1 interface is mapped to the
WAN zone. If you are using the secondary WAN (WAN2), you can map it to
the WAN zone or any other untrusted zone.
WAN
Voice
Designed exclusively for voice traffic. Incoming
and outgoing traffic is optimized for voice operations. For example,
assign Cisco IP Phones to the VOICE zone.
VOICE