Zones group interfaces and networks by trust level. Traffic flowing between zones must pass through the firewall's policy engine, enforcing strict boundaries between the untrusted internet, internal users, and public-facing services.
The Demilitarized Zone (DMZ) hosts public-facing services like web and mail servers. It is isolated from the internal LAN. If a DMZ server is compromised, the attacker still faces a second firewall boundary to reach internal data.
💡 Pro-tip: Never allow direct database connections from the DMZ to the LAN. Use an internal API gateway or application-tier proxy to mediate DMZ-to-LAN data requests.
# Conceptual Zone-Based Policy (ZBP)
zone-pair security DMZ-to-LAN source DMZ destination LAN
service-policy type inspect RESTRICTED-ACCESSThis ZBP ensures that only highly specific, inspected traffic can flow from the DMZ back into the trusted internal LAN.
The WAN zone is inherently untrusted. The LAN zone is trusted but increasingly treated as 'semi-trusted' in modern Zero Trust architectures. East-West traffic between LAN subnets should also be zoned and filtered.
⚠️ Avoid placing internal domain controllers or file servers in the DMZ. The DMZ is a hostile environment; only stateless, hardened frontend applications belong there.
| Zone | Trust Level | Typical Assets |
|---|---|---|
| WAN | Untrusted | ISP Links |
| DMZ | Semi-Trusted | Web/Mail Servers |
| LAN | Trusted | Endpoints/DBs |
Verify exercises to earn ★ 170 XP and unlock next lab level.