First
Published: Nov 5, 2009
Last updated: Jan
27, 2018
5-Zone Allocation
(BTC standard since May 2015)
- WAN - Internet (ISP line)
- LAN -
private corporate network (incl. wifi), authorized nodes only
- Restricted - no Internet
- 1-way managed from LAN,
but NOT to LAN
- e.g: SMBv1 legacy printers/scanners/servers/clients, POS
(on-prem)
- OPTIONAL: segmented VLAN
- IoT - Cloud-only, opposite of #3
- SIP phone sys,
surveillance cam, door bell, timeclock (hosted)
- full Internet access for devices
- OPTIONAL: isolated/segmented VLAN
- Public - Internet,
completely independent from other zones
- OPTIONAL: isolated VLAN
- guest wifi & conference room ethernet
- outbound-only, zero inbound/fwd
Optional: Zone ZERO
- topologically in front of perimeter router, as peer
- require subscription $$$ for a block of static public IPs
- or be granted concurrent DHCP global addresses ($$?/legacy plan)
- unless you have DIA (business class fiber service)
- suitable for multi-tenant scenarios (within business suite/campus
- e.g. independent attorney leasing cubical from CPA firm, temp contract workers, etc.
- they require unfettered inbound access at their full-control, hence
- #5 above is unacceptable
At-a-Glance
|
LAN |
Restricted |
IoT |
Public |
Outbound Internet |
full |
none |
throttled |
censored |
Inbound Internet |
fwd & VPN |
none |
DMZ |
none |
Manage from LAN |
|
yes |
yes |
no |
Access LAN Nodes |
full |
none |
none |
none |
Cross-Zone traffic |
selected |
none |
none |
none |
DHCP |
reserved |
static |
policy? |
yes |
VLAN (optional) |
no |
segmented |
segmented |
isolated |
Authorization |
staff+ |
legacy/special |
@provision |
wpa/@conf |
3-Zone Allocation (practical
minimum)
- WAN - Internet
- LAN - private corporate network,
authorized nodes only
- DMZ - all non-LAN
- web/ftp servers
- IoT, SIP VoIP, sec cam
- Guest wifi, conf rm Ethernet
2-Zone Allocation
(unacceptable)
- WAN - Internet
- LAN - everything
NOTE: This is equally applicable to
pfSense, OPNsense, SWX, Cisco, etc.
SEE
ALSO
|