6.2. Zones

Zones describe and map the networking environment on IP level. IP addresses are grouped into zones; the access policies of PNS operate on these zones. Zones specify segments of the network from which traffic can be received (source), or sent to (destination), through the firewall. Zones in PNS can contain:

  • IP networks,

  • subnets,

  • individual IP addresses, and

  • hostnames.

Zone management is handled by the zone-helper daemon (vela-zone-helper). vela-zone-helper is responsible for maintaining zone address information in traffic classification subsystem and also for updating dynamic address information in hostname-based zones.

The actual implementation of a zone hierarchy depends on the network environment, the placement and the role of PNS firewalls, the security policy, and so on.

The Internet zone which covers all possible IP addresses is defined on every site by default. If an IP address is not included in any user-defined zones, it belongs to the Internet zone. PNS policies can permit traffic between two or more zones, in this case another zone — e.g., the intranet — should be created. Usually a special zone called demilitarized zone (DMZ) is defined for servers available from the Internet.

Zones in PNS can have a hierarchy, where a zone may contains many subzones, and each one of them could have further subzones nested within. The created zone structure can be represented in the form of a tree hierarchy. This hierarchy is purely administrative and independent from the IP addresses defined in the zones themselves: for example, a zone that contains the 192.168.7.0/24 subnet can have a subzone with IP addresses from the 10.0.0.0/8 range.

A network can belong to a single zone only, otherwise the position of IP addresses in the affected network would be ambiguous.

The zone hierarchy is independent from the subnetting practices of the company or the physical layout of the network, and can follow arbitrary logic. The zone hierarchy applies to every host of a site.

Note

Subnets can be used directly in PNS configurations, it is not necessary to include them in a zone.

Note

It is recommended to follow the logic of the network implementation when defining zones, because this approach leads to the most flexible firewall administration. Plan and document the zone hierarchy thoroughly and keep it up-to-date. An effective and usable zone topology is essential for successful PNS administration.