Zone-Based Firewall - Brocade Communications Systems 5600 vRouter Configuration Manual

Scenario 2: firewall instances applied to outbound traffic
In this scenario, firewall instances are applied to outbound (out ) traffic on an interface. Notice that firewall is evaluated after DNAT and
routing decisions, and after SNAT.

Zone-based firewall

Ordinary firewall rule sets are applied on a per-interface basis to act as a packet filter for the interface. In a zone-based firewall, interfaces
are grouped into security "zones," where each interface in a zone has the same security level.
Packet-filtering policies are applied to traffic flowing between zones. Traffic flowing between interfaces that lie in the same zone is not
filtered and flows freely because the interfaces share the same security level.
The following figure shows an example of a zone-based firewall implementation. This example has these characteristics:
∙
Three transit zones exist (that is, points where traffic transits the router): the private zone, the demilitarized zone (DMZ), and the
public zone.
∙
The dp0p1p4 interface lies in the public zone; the dp0p1p1 and dp0p1p2 interfaces lie in the private zone; and the dp0p1p3
interface lies in the DMZ.
∙
The arrows from one zone to another zone represent traffic-filtering policies that are applied to traffic flowing between zones.
∙
Traffic flowing between LAN 1 and LAN 2 remains within a single security zone. Thus, traffic from LAN1 to LAN2, and
conversely, flows unfiltered.
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01
Firewall Overview
17