A Local Area Network is a network infrastructure that spans a small geographical area. LANs have specific characteristics:

LANs interconnect end devices in a limited area such as a home, school, office building, or campus.
A LAN is usually administered by a single organization or individual. Administrative control is enforced at the network level and governs the security and access control policies.
LANs provide high-speed bandwidth to internal end devices and intermediary devices, as shown in the figure.

WANs

The figure shows a WAN which interconnects two LANs. A WAN is a network infrastructure that spans a wide geographical area. WANs are typically managed by service providers (SPs) or Internet Service Providers (ISPs).
WANs have specific characteristics:

WANs interconnect LANs over wide geographical areas such as between cities, states, provinces, countries, or continents.
WANs are usually administered by multiple service providers.
WANs typically provide slower speed links between LANs.

Zone-Based Policy Firewall

Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional flexibility. A zone is a group of one or more interfaces that have similar functions or features. Zones help you specify where a Cisco IOS firewall rule or policy should be applied.

In the figure, security policies for LAN 1 and LAN 2 are similar and can be grouped into a zone for firewall configurations. By default, the traffic between interfaces in the same zone is not subject to any policy and passes freely. However, all zone-to-zone traffic is blocked. In order to permit traffic between zones, a policy allowing or inspecting traffic must be configured.

The only exception to this default deny any policy is the router self zone. The self zone is the router itself and includes all the router interface IP addresses. Policy configurations that include the self zone would apply to traffic destined to and sourced from the router. By default, there is no policy for this type of traffic. Traffic that should be considered when designing a policy for the self zone includes management plane and control plane traffic, such as SSH, SNMP, and routing protocols.

Common Security Architectures

Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic. Some designs are as simple as designating an outside network and inside network, which are determined by two interfaces on a firewall.
Here are three common firewall designs.

Private and Public

Demilitarized Zone

Zone-Based Policy Firewalls

As shown in the figure, the public network (or outside network) is untrusted, and the private network (or inside network) is trusted.
Typically, a firewall with two interfaces is configured as follows:

Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted.
Traffic originating from the public network and travelling to the private network is generally blocked.

Action Point

PS: I know you might agree with some of the points that I have raised in this article. You might not agree with some of the issues raised. Let me know your views about the topic discussed. We will appreciate it if you could drop your comment. Thanks in anticipation.

Fact Check Policy

CRMNuggets is committed to fact-checking in a fair, transparent and non-partisan manner. Therefore, if you’ve found an error in any of our reports, be it factual, editorial, or an outdated post, please contact us to tell us about it.