Zone-based Firewalls Overview

If you have any important information or tools attached to devices in your network, then you need good network security. An essential tool for security is the firewall.

Of course, firewalls have seen a lot of development over the years, so if you want modern solutions, then you need to know about modern firewalls. It’s time to learn about zone-based firewalls.

What Is a Zone-Based Firewall?

If a firewall is a technology that inspects traffic to protect your network, then a zone-based firewall is one of the most advanced designs in this field. It is available with modern Cisco technology, and it provides more thorough and efficient firewall protection.

Before we get too deep in the weeds, a few notes need to be addressed. First, zone-based firewalls are still stateful firewalls, meaning they track the individual sessions within the network. That makes its functionality similar to other types of firewalls.

But, zone-based technology does depart from the context-based access control (CBAC) that was dominant in the realm of firewalls for many years. Zone technology is what replaces CBAC, and in order to understand exactly what that means, we need to zoom in.

How Does It Work?

As you might imagine, the “zone” is the key piece to zone-based firewall protection. In this respect, the firewall assigns zones to the network. (More accurately, the network administrator can pick the zones when they set up the firewall.)

The zones are based on the physical configuration of the network. You could create a zone around a specific Wi-Fi mesh. You could create it around a printing hub. There are many options (and the most common will be explained later). The point is that once the zones are set, the firewall specifically monitors traffic that travels between zones. If traffic stays within a zone, it doesn’t have to pass through the firewall. When traffic does go through a zone, the rest of the firewall process is normal. Traditional checks and mechanisms will inspect that traffic to ensure the network is safe.

So, what do the zones look like? Ideally, each router exists in its own zone. When traffic goes between routers, that merits a firewall inspection. It’s also possible to create smaller zones within the network of a single router.

Either way, the idea is that zone-based firewalls increase security according to network segmentation. This doubles down on the idea of pre-quarantining problems by segmenting the network in the first place.

Firewall Functionality

While that does explain the zones, we still need to cover the firewall mechanisms when inspections take place. The configuration policy is called Cisco Activity Language (CPL). This governs the firewall’s behavior when it intervenes in network traffic.

CPL is how you set your policies, and while this is a modern language, it’s still providing traditional intervention options. You can whitelist or blacklist traffic according to criteria. You can use heuristics to inform firewall decision-making. There’s really no need to reinvent firewalls at this point.

It really comes down to setting your zones to ensure traffic is inspected when and where you want.

How Does a Zone-Based Firewall Compare to Other Firewalls?

With all of that covered, we can explore zone-based firewalls another way by comparing them to other firewall mechanisms. The best comparison probably involves CBAC.

With CBAC, each interface needs its own individual configuration. This is done via an access list that uses large tables to inspect and compare traffic in order to make decisions about access. While this does create effective interventions, it's slow and clunky and eats up a lot of IT labor. For a large network, CBAC requires a lot of configuration.

One of the great advantages of a zone design is that it simplifies implementation without sacrificing efficacy. Each zone can have its own access and traffic policies, but because the firewall only has to inspect cross-zone traffic, the application of the intervention is simpler.

On top of that, you aren’t individually configuring different firewalls across each node of the network. You only have to configure according to zones, and if a single zone needs multiple firewalls, you can copy policies accordingly.

Fitting Firewalls into Network Topology

We can add perspective by considering how firewalls fit into your network topology. The most common design of zone firewalls uses a three-zone system. You have the public, private, and DMZ zones. For large networks, you can create multiples of each zone, but you still typically split policies for any zone into one of these categories.

This helps you simplify network implementation and execution.

Let’s take a closer look at each type of zone to see what that reveals.

Public

The public zone includes any traffic that comes from outside your network. In other words, this zone includes the internet.

Small networks typically only have one public zone, but larger networks might have multiple ISP access points. Regardless, ISP zones have public rule sets that often apply wider access to users paired with stronger traffic security.

Private

Private zones are for devices that sit inside your network and do not directly access traffic outside of the private network. Many printers would fit into such a zone, as do many other devices.

As far as architecture goes, it’s reasonable to set up multiple private zones according to traffic types and use cases. You might put a camera security system in its own zone. Or, an enterprise network might put the accounting department in a single zone. It’s really up to the administrator, and the zone strategy amplifies the benefits of network segmentation.

DMZ

The last type of zone is the DMZ (demilitarized zone). This is another way of identifying a neutral zone. Neutral zones segment devices that interface with public traffic. The best examples include web servers and mail servers.

You can think of the DMZ zone as sitting somewhere between the public and private zones. DMZ devices do communicate outside of the private network, but they don’t fully access the greater internet. They provide specific access and communications, and that’s why they should be treated with their own set of firewall procedures.

That really covers the gist of zone-based firewalls. They’re a great way to make firewall protection more efficient, and they’re gaining popularity across networks of all shapes and sizes.

Additional Learning Center Resources