Firewall Interfaces, Zones, and Tiers

Firewall Interfaces and Zones


According to NIST SP 800-41 R1, a firewall is a device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.

Firewall Interfaces and Zones

A firewall comprises a couple of network interfaces that can be configured or assigned to zones. A security zone or zone for short is a collection of firewall interfaces that share the same security requirements. Traffic between zones is controlled by firewall policies.

Common Zones

A firewall interface connected to the internet is typically assigned to a zone named untrusted or public; one connected to the internal network is assigned to a trusted zone. The zone with security requirements between those of the untrusted zone and the trusted zone is called the demilitarized zone (DMZ).

Firewall Policies

The zone name doesn’t matter, but the firewall policies do. The networks connected to a firewall interface are not necessarily secure or trusted just because you name the zone as “trusted” to which the interface is connected. The security is enforced by firewall policies.

Layered Defense

A firewall connected to the internet and internal networks may lead to serious consequences once it is compromised. The attacker who compromised the firewall has complete access to the internal networks.

As a result, some organizations may add another firewall as an extra tier or layer to mitigate the single point of failure in the previous case. If the first tier firewall is compromised, there exists second-tier protection. It’s a strategy of layered defense or defense-in-depth.

Firewalls and Applications

It’s not uncommon to implement a tiered-architecture of firewalls to support the multi-tiered application architecture (presentation, business logic, and data/persistence tier). In the context of application architecture, a layer is a logical concern while a tier is a physical concern. An application can be divided into a couple of logical subsystems, modules, or logical layers, but it can be deployed to several servers or physical tiers.

Layer vs Tier

Layer vs Tier


IMO, the diagram from the Sybex CISSP Study Guide (OSG), as follows, implies that the OSG treats the number of tiers as the number of zones protected by firewalls (excluding the untrusted zone).


1 thought on “Firewall Interfaces, Zones, and Tiers

  1. Pingback: DNS 服務器之間的區域傳輸(Zone transfer) – Choson資安大小事

Leave a Reply