Chapter 27 Security Policy
ZyWALL USG Series User’s Guide
574
27.3.1 What You Need to Know
Stateful Inspection
The Zyxel Device uses stateful inspection in its security policies. The Zyxel Device restricts access by
screening data packets against defined access rules. It also inspects sessions. For example, traffic from
one zone is not allowed unless it is initiated by a computer in another zone first.
Zones
A zone is a group of interfaces. Group the Zyxel Device’s interfaces into different zones based on your
needs. You can configure security policies for data passing between zones or even between interfaces.
Default Directional Security Policy Behavior
Security Policies can be grouped based on the direction of travel of packets to which they apply. Here
is the The Zyxel Device has default Security Policy behavior for traffic going through the Zyxel Device in
various directions.
To-Device Policies
Policies with Device as the To Zone apply to traffic going to the Zyxel Device itself. By default:
• The Security Policy allows only LAN, or WAN computers to access or manage the Zyxel Device.
• The Zyxel Device allows DHCP traffic from any interface to the Zyxel Device.
• The Zyxel Device drops most packets from the WAN zone to the Zyxel Device itself and generates a
log except for AH, ESP, GRE, HTTPS, IKE, NATT.
When you configure a Security Policy rule for packets destined for the Zyxel Device itself, make sure it
does not conflict with your service control rule. The Zyxel Device checks the security policy before the
service control rules for traffic destined for the Zyxel Device.
A From Any To Device direction policy applies to traffic from an interface which is not in a zone.
Table 205 Directional Security Policy Behavior
FROM ZONE TO ZONE BEHAVIOR
From any to Device DHCP traffic from any interface to the Zyxel Device is allowed.
From LAN1 to any (other than
the Zyxel Device)
Traffic from the LAN1 to any of the networks connected to the Zyxel Device is
allowed.
From LAN2 to any (other than
the Zyxel Device)
Traffic from the LAN2 to any of the networks connected to the Zyxel Device is
allowed.
From LAN1 to Device Traffic from the LAN1 to the Zyxel Device itself is allowed.
From LAN2 to Device Traffic from the LAN2 to the Zyxel Device itself is allowed.
From WAN to Device The default services listed in To-Device Policies are allowed from the WAN to the
Zyxel Device itself. All other WAN to Zyxel Device traffic is dropped.
From any to any Traffic that does not match any
Security policy is dropped. This includes traffic
from the WAN to any of the networks behind the Zyxel Device.
This also includes traffic to or from interfaces that are not assigned to a zone
(extra-zone traffic).
To Next Page
Loading...
