Network Security Zoning

One single vulnerability is all an attacker needs — Window Snyder, Chief Security Officer, Fastly

Firstly, let us learn about security zone and then move on to the Network Security Zone.

Security Zone is an area within a network that consists of a group of systems and other components with the same characteristics, all of which serve to manage a secure network environment.

Network Security Zoning is an mechanism which allows an organization to efficiently manage a secure network environment by selecting the appropriate level of security for different zones of internet and intranet networks. It also enforces the organization’s internet security policies, according to the origin of web content and helps in effectively monitoring and controlling inbound and outbound traffic.

Properties of Security Zone:-

• Active security policies that enforce rules on the traffic in transit (traffic that can pass through the firewall) and the action to be taken against it.
• Pre-defined screening options that detect and block the malicious traffic.
• Address book (IP addresses and address sets) to recognize members, so that policies can be applied.
• List of interfaces in the zone.

Following are examples of Network Security Zones

1. Internet Zone
2. Internet DMZ
3. Production Network Zone
4. Intranet Zone
5. Management Network Zone or Secure Zone

Internet Zone, also known as the untrusted zone, is the part of the internet that is outside the boundaries of an organization. It is highly suspectible to security breaches, as there may be little or no security controls that can block an invasion.

Internet DMZ (“demilitarized zone” ; also called a controlled zone) is a controlled, internet-facing zone that typically contains internet-facing components of network web servers and email gateways through which employees of an organization directly communicate. It acts as a barrier between the organization’s private network and its public network. The internet DMZ uses a firewall at each of the two gateway faces, which enable the control of:

• Traffic entering the hosts in a DMZ from the internet
• Traffic leaving from the hosts in a DMZ to the internet
• Traffic entering the hosts in a DMZ from internal (private) networks
• Traffic leaving from the hosts in a DMZ to internal networks

Security Administrators may install access control software in the DMZ to monitor and control user access to resources stored in the restricted and other controlled zones.

Production Network Zone, also known as a restricted zone, supports functions for which access should be limited. It strictly controls direct access from uncontrolled networks. Typically, a restricted zone employs one or more firewalls to filter inbound and outbound traffic.

Intranet Zone, also known as a controlled zone, contains a set of hosts in an organization’s network located behind a single firewall or set of firewalls, generally has less restriction. This zone is not heavily restricted in use, but it has an appropriate span of control set up to ensure that network traffic doesn’t compromise the operation of significant business functions.

Management Network Zone or Secured Zone is the zone where the access is limited authorized users. Access to one area of the zone doesn’t necessarily apply to another area of the zone. It is a secured zone with strict policies.