External Zones and Security Policies For Traffic Within a
Firewall
In the following example, an enterprise has two separate
administrative groups: the departmentA and departmentB virtual systems.
The following figure shows the external zone associated with each
virtual system, and traffic flowing from one trust zone, out an
external zone, into an external zone of another virtual system,
and into its trust zone.
To create external zones, the firewall administrator must configure
the virtual systems so that they are visible to each
other. External zones do not have security policies between them
because their virtual systems are visible to each other.
To communicate between virtual systems, the ingress and egress
interfaces on the firewall are either assigned to a single virtual
router or else they are connected using inter-virtual router static
routes. The simpler of these two approaches is to assign all virtual
systems that must communicate with each other to a single virtual
router.
There might be a reason that the virtual systems need to have
their own virtual router, for example, if the virtual systems use
overlapping IP address ranges. Traffic can be routed between the
virtual systems, but each virtual router must have static routes
that point to the other virtual router(s) as the next hop.
Referring to the scenario in the figure above, we have an enterprise
with two administrative groups: departmentA and departmentB. The
departmentA group manages the local network and the DMZ resources.
The departmentB group manages traffic in and out of the sales segment
of the network. All traffic is on a local network, so a single virtual
router is used. There are two external zones configured for communication
between the two virtual systems. The departmentA virtual system
has three zones used in security policies: deptA-DMZ, deptA-trust,
and deptA-External. The departmentB virtual system also has three
zones: deptB-DMZ, deptB-trust, and deptB-External. Both groups can
control the traffic passing through their virtual systems.
In order to allow traffic from deptA-trust to deptB-trust, two
security policies are required. In the following figure, the two
vertical arrows indicate where the security policies (described
below the figure) are controlling traffic.
Security Policy 1: In the preceding figure, traffic is
destined for the deptB-trust zone. Traffic leaves the deptA-trust
zone and goes to the deptA-External zone. A security policy must
allow traffic from the source zone (deptA-trust) to the destination
zone (deptA-External). A virtual system allows any policy type to
be used for this traffic, including NAT.
No policy is needed
between external zones because traffic sent to an external zone
appears in and has automatic access to the other external zones
that are visible to the original external zone.
Security Policy 2: In the preceding figure, the traffic from
deptB-External is still destined to the deptB-trust zone, and a
security policy must be configured to allow it. The policy must
allow traffic from the source zone (deptB-External) to the destination
zone (deptB-trust).
The departmentB virtual system could be configured to block traffic
from the departmentA virtual system, and vice versa. Like traffic
from any other zone, traffic from external zones must be explicitly
allowed by policy to reach other zones in a virtual system.
In addition to external zones being required for inter-virtual
system traffic that does not leave the firewall, external zones
are also required if you configure a Shared
Gateway, in which case the traffic is intended to leave the
firewall.