A zone is just a label. Every interface has one zone set on it (and one zone only). Multiple interfaces can have the same zone (em1 and em5 could both be labeled as 'internal' interfaces for example).
Let's say you have a set of servers you want to put into a 'dmz.' These servers plug into a switch and the firewall's interface em3 is plugged into this same switch. In the Interface configuration for the em3 interface you set the zone to be 'dmz.' Now this interface has a zone/label of 'dmz.' Now you can control traffic to and from all the machines off this interface by specifying 'dmz' as the source or destination zone in a rule. You don't HAVE to specify the destination IPs of these servers in the rule (although you can), you can just say 'Traffic to a 'dmz' (zone) interface is trusted'.
A zone is just a label that is attached to an interface so you can control traffic to and from that interface via the rules. You want traffic to go from here to there, so in a rule you specify the source zone as 'here' and the destination zone as 'there.'
1 of 1 people found this helpful
Just to add onto Sam's great explanation, you typically want to organize devices with similar security requirements in the same zone. As Sam said, you may have some servers in the DMZ zone. You would probably put clients on the internal zone. You could create a third zone for untrusted users (for example guest wireless access), etc.
I have noticed that the concept of a zone is not complicated but can be really tough to explain. Do you feel like you have a better understanding now, Andreas?
I can echo what the guys have said here. If you try to avoid overcomplicating something which isn't actually complicated to start off with, then it shouldn't be an issue. But, to try and explain it to someone is a different matter - because it ends up sounding complicated!
This concept isn't unique to McAfee Firewall Enterprise. I work for a reseller and while MFE is our flagship Firewall product, I have come into contact with other vendor's Firewalls over the years and many of them are now adopting the same basic framework.
I tend to think of a zone as a logical placeholder for the Firewall's physical interface. For the vast majority of situations this will still be a one-to-one relationship (with the internal interface being assigned to the internal zone, external interface to external zone and so forth) and it's then the case that the firewall rules are created between the zones, rather than between the interfaces.
Yes, it does add an additional layer of complexity to those who have not previously worked with a product of this nature. However, because a zone can contain multiple physical interfaces, it provides you with the means of assigning new networks in a very simple fashion. With a different Firewall solution, If you wish to introduce a new network segment, you will need to configure the Firewall interface, connect it to that segment and will then have to create a new set of access control rules to allow that segment to access the outside world. Assuming that this new segment simply an extention of your existing internal network, on MFE all that is necessary is to configure the interface on the Firewall, connect it to the network and then assign the interface to the "internal" zone. Because the rules are applied at the zone level, all existing rules from the "internal" zone will automatically apply to this new network.
many thanks for this great description.
Can i assign VLAN Tags to Zones. i.e. for assigning multiple Zones to one physical interface??
I'm happy to defer to Sam or Matt on this one because I've not personally done that much in-depth work with this functionality.
But, looking at the GUI, I'd suggest that it is possible.
Each VLAN interface definition (while associated with a physical NIC on the appliance) is an "interface" in it's own right within the GUI and each interface can have a different zone assigned to it.
If you have the means to test it, I'd suggest trying it for yourself. Create a new VLAN interface and place it into its own zone. Then create an access control rule allowing a service to pass which would not be allowed on the other VLAN. If it works, then you have your answer
Hope that helps.
Phil you are correct. We treat every VLAN as an interface, so it is completely valid to assign a VLAN to a zone (or a zone to a VLAN depending on how you think about it).
And you do still need policy to pass traffic as well.