About Security Zones

A security zone is a group of interfaces to which a security policy can be applied to control traffic between zones. For ease of deployment, the Cisco ISA500 has several predefined zones with default security settings to protect your network. You can create additional zones as needed.

Each zone has an associated security level. The security level represents the level of trust, from low (0) to high (100). Default firewall rules are created for all predefined zones and your new zones, based on these security levels. For example, by default all traffic from the LAN zone (with a Trusted security level) to the WAN zone (with an Untrusted security level) is allowed but traffic from the WAN (Untrusted) zone to the LAN (Trusted) zone is blocked. You can create and modify firewall rules to specify the permit or block action for specified services, source and destination addresses, and schedules.

To learn more, see the Security Levels and Predefined Zones table.

Security Levels and Predefined Zones

Security Level

Description

Predefined Zones

Trusted (100)

Highest level of trust.

By default, the DEFAULT VLAN is mapped to the predefined LAN zone. You can group one or more VLANs into a Trusted zone.

LAN

VPN (75)

Higher level of trust than a public zone, but a lower level of trust than a trusted zone.

This security level is used exclusively for VPN connections. All traffic is encrypted.

VPN

SSLVPN

Public (50)

Higher level of trust than a guest zone, but a lower level of trust than a VPN zone.

DMZ

Guest (25)

Higher level of trust than an untrusted zone, but a lower level of trust than a public zone.

GUEST

Untrusted (0)

Lowest level of trust.

By default, the WAN1 interface is mapped to the WAN zone. If you are using the secondary WAN (WAN2), you can map it to the WAN zone or any other untrusted zone.

WAN

Voice

Designed exclusively for voice traffic. Incoming and outgoing traffic is optimized for voice operations. For example, assign Cisco IP Phones to the VOICE zone.

VOICE