A Local Area Network is a network infrastructure that spans a small geographical area. LANs have specific characteristics:
LANs interconnect end devices in a limited area such as a home, school, office building, or campus.
A LAN is usually administered by a single organization or individual. Administrative control is enforced at the network level and governs the security and access control policies.
LANs provide high-speed bandwidth to internal end devices and intermediary devices, as shown in the figure.
The diagram is an illustration of a LAN. At the centre of the diagram is a switch. There are four Ethernet connections on the switch. At the top left is a connection to a PC. Below that is a connection to the computer at the desk of a worker.
Below that is another connection to the computer at the desk of a worker. At the bottom left is a connection to an IP phone. To the right of the switch is a connection to a server. The text under the figure reads: a network serving a home, small building, or a small campus is considered a LAN.
A network serving a home, small building, or a small campus is considered a LAN.
WANs
The figure shows a WAN which interconnects two LANs. A WAN is a network infrastructure that spans a wide geographical area. WANs are typically managed by service providers (SPs) or Internet Service Providers (ISPs). WANs have specific characteristics:
WANs interconnect LANs over wide geographical areas such as between cities, states, provinces, countries, or continents.
WANs are usually administered by multiple service providers.
WANs typically provide slower speed links between LANs.
The figure shows two branch LANs connected via a WAN link. Both LANs are highlighted in a light yellow box and consist of a central switch connected to three PCs, an IP phone, a server, and a router. The two routers are connected via a red WAN link. On the left is the branch 1 LAN and on the right is branch 2 LAN.
Zone-Based Policy Firewall
Zone-based policy firewalls (ZPFs) use the concept of zones to provide additional flexibility. A zone is a group of one or more interfaces that have similar functions or features. Zones help you specify where a Cisco IOS firewall rule or policy should be applied.
In the figure, security policies for LAN 1 and LAN 2 are similar and can be grouped into a zone for firewall configurations. By default, the traffic between interfaces in the same zone is not subject to any policy and passes freely. However, all zone-to-zone traffic is blocked. In order to permit traffic between zones, a policy allowing or inspecting traffic must be configured.
The only exception to this default deny any policy is the router self zone. The self zone is the router itself and includes all the router interface IP addresses. Policy configurations that include the self zone would apply to traffic destined to and sourced from the router. By default, there is no policy for this type of traffic. Traffic that should be considered when designing a policy for the self zone includes management plane and control plane traffic, such as SSH, SNMP, and routing protocols.
Common Security Architectures
Firewall design is primarily about device interfaces permitting or denying traffic based on the source, the destination, and the type of traffic. Some designs are as simple as designating an outside network and inside network, which are determined by two interfaces on a firewall. Here are three common firewall designs.
Private and Public
Demilitarized Zone
Zone-Based Policy Firewalls
As shown in the figure, the public network (or outside network) is untrusted, and the private network (or inside network) is trusted. Typically, a firewall with two interfaces is configured as follows:
Traffic originating from the private network is permitted and inspected as it travels toward the public network. Inspected traffic returning from the public network and associated with traffic that originated from the private network is permitted.
Traffic originating from the public network and travelling to the private network is generally blocked.
The private and public figure shows a cloud within a circle labelled public (untrusted). The cloud connects to a firewall via s 0 / 0 / 0. The g 0 / 0 firewall port connects to a circled labelled VLAN 1 private (trusted) that has a server and two pc’s on it. There is an arrow going from the private circle to the public circle with h t t p, SMTP, and d n s on it. There is another arrow going from the public circle to the private circle with the words no access.
To Get Email Updates when we post new contents, Click Here.
Sharing Is Caring. If you enjoy this article, help us share with others.
