Dividing a Network into Security Zones – Huawei Firewall Security Policy Essentials – Huawei
A security zone is a subnet that has similar security requirements and security levels. Although the security zone is a unique concept of firewalls, it originates from network segmentation and has universal significance on the data communication network. Network segmentation refers to dividing an Ethernet network into several subnets that are isolated from each other based on certain rules. Data packets are transmitted on specified subnets only, not to all devices on the network. Network segmentation improves network performance and ensures network security. Firewalls are deployed on segmented networks and use security zones to enhance security.
By default, a firewall provides the Untrust, Trust, and DMZ zones, which are used to connect to the external network, internal network, and DMZ respectively. By default, devices in the same security zone can communicate with each other. To enable devices in different security zones to communicate with each other, you need to configure security policies. This design achieves a good balance between performance and security. To be specific, if a subnet is intruded, attackers can access only resources in the security zone corresponding to the subnet. To access resources on other subnets, attackers must break through the control of the security zone and security policies. The use of security zones and security policies minimizes the loss.
Properly planning security zones and deploying resources help improve network security and resilience. The following lists some rules for planning security zones and deploying resources:
- Many security zones can achieve precise network control and network security, which however will complicate management.
- Do not place systems that do not interact with each other on the same subnet. Otherwise, attackers can easily access all these systems as long as they break through the defense.
- Deploy the devices and service resources with the same security level in the same security zone. Then, allocate IP addresses to devices based on security zones. The IP addresses of the devices with the same service attributes and security level can form an address set. Using address sets in security policies makes security policies easy to understand and manage.
- Deploy systems of different security levels that need to interact with each other in different security zones and configure strict security policies for them. For example, all servers (such as web servers and email servers) that provide services for external systems must be deployed in a dedicated zone (generally DMZ), and servers (such as database servers) that cannot be directly accessed by external networks must be deployed in the internal server zone.
The following uses an example to describe the best practices of security zone division and resource deployment.
Figure 3-1
Security zone division and resource deployment
In this example, the network is divided into four security zones. In addition to the default Trust, DMZ, and Untrust zones, an Isolated zone is added. The arrows indicate the directions of permitted traffic.
- The proxy server, email server, and front end of the web server are deployed in the DMZ. These servers need to provide services for the Internet. Corresponding security policies need to be configured on the firewall. Servers oriented to the Internet are most vulnerable to attacks and need to be isolated from other servers.
- Back end of the web server, including the application server and database server, stores important data and needs to be deployed in the Isolated area. Servers in the DMZ can access specific services in the Isolated zone.
- The DHCP server, DNS server, and AD server do not need to be connected to the Internet infrastructure. They need to receive access requests from clients on the internal network and are deployed in the Trust zone. By default, the communication between these servers and clients on the internal network is allowed. Clients on the internal network need to access the Internet through a proxy server.
In this way, even if the servers connected to the Internet are attacked, threats can be controlled in the DMZ, and the damage can be minimized.