Network Security Zones

Network Security Zones

Our organizational IT environments are constantly changing, driven by factors such as telecommuting, cloud technologies, and BYOD (Bring Your Own Device) policies. This requires modular and dynamic architectures in place, allowing flexibility while still maintaining a rigid security posture. One of the most foundational ways to accomplish this is through the use of network security zones, which we’ll take a look at in this blog post. We’ll cover common security zone types, and also zone filtering policy considerations for each.

Network Security Zones

A security zone is a portion of a network that has specific security requirements set. Each zone consists of a single interface or a group of interfaces, to which a security policy is applied. These zones are typically separated using a layer 3 device such as a firewall.

In a very broad sense, a firewall is used to monitor traffic destined to and originating from a network. Traffic is either allowed or denied based on a pre-determined set of rules called an access control list, or ACL for short. Although there are many different types of firewalls, a firewall must have the following properties:

  • Must be resistant to attacks
  • Must be able to inspect traffic between networks
  • Must have the ability to filter traffic

The number of networks we can create on a firewall depends on the number of physical ports available. Generally speaking, a standard firewall implementation involves separating trusted traffic and untrusted traffic. Proper firewall implementation creates two basic security zones, known as inside and outside.

The inside or trusted zone is also referred to as the private zone. As the name implies, this zone contains assets and systems that should not be accessed by anyone outside of the organization. This includes user workstations, printers, non-public servers, and anything else that considered to be an internal resource. Devices found here have private IP addresses assigned in the network.

The outside or untrusted zone is also known as the public zone. This zone is considered to be outside the control of an organization and can be thought of as simply the public internet.

The third basic security zone is called the DMZ, or demilitarized zone. Resources in the DMZ require external access from the outside zone. It is common to see public-facing servers in the DMZ, such as email, web, or application servers. A DMZ allows public access to these resources without putting the private, inside zone resources at risk.

Zone Filtering Policies

In the case of network security zones, a firewall enforces the access control policy, determining which traffic is allowed to pass between the configured zones. With this common three-zone implementation, there are several recommended zone filtering policies that should be in place:

  • Inside-to-Outside and Inside-to-DMZ: Traffic originating from the inside is inspected as it travels toward either the outside or the DMZ. Examples include an employee requesting a webpage from a public web server or accessing any resource within the DMZ. This type of traffic is allowed with very few restrictions, if any.
  • Outside-to-Inside: Traffic originating from outside and traveling toward the inside is blocked completely, unless the traffic is in response to a request from an inside resource. For example, if an inside user requests a webpage from a public web server, this outside-to-inside traffic is allowed. Connections originating from the public network that are not a response to a request will be denied.
  • DMZ to Inside: Traffic originating from the DMZ and traveling toward the inside is also blocked completely, unless the traffic is a response to a legitimate request from inside.
  • Outside to DMZ: Traffic originating from the outside and traveling toward the DMZ is inspected by the firewall and selectively permitted or denied. Specific types of traffic may be passed through, such as email, HTTP, HTTPS, or DNS traffic. Also note that responses from the DMZ back to the outside will be dynamically permitted. In other words, the firewall will dynamically open a port to allow required traffic from the DMZ to the outside as needed.
  • DMZ to Outside: Traffic originating from the DMZ and traveling toward the outside is selectively permitted based on the service requirements and firewall rules. For instance, if there is an email server in the DMZ that needs to replicate with an email server at another location, the firewall policy should allow this type of traffic.

All the best,


Charles Judd – Instructor
CCNA Security, CCNA R/S, BS Network Security