Security levels in a firewall, particularly in a Cisco ASA firewall, define the trust assigned to traffic originating from a specific interface. Higher security levels indicate greater trust.
Understanding Security Levels
The security level is a numerical value assigned to each interface on the firewall, determining the direction of traffic flow. This approach simplifies the creation of access rules, as traffic generally flows from higher security levels to lower security levels without explicit configuration.
-
Range: Security levels range from 0 to 100.
- 100 (Highest): Represents the most trusted networks, typically the internal network.
- 0 (Lowest): Represents the least trusted networks, usually the internet.
- Intermediate Values: Used for networks with varying degrees of trust, such as DMZs (Demilitarized Zones).
-
Default Behavior: By default, traffic can flow from a higher security level to a lower security level without any access lists. Return traffic is also permitted.
-
Configuration: You must configure access lists to allow traffic to flow from a lower security level to a higher security level.
Example: Security Levels in a Typical Network
| Interface | Network | Security Level | Trust Level |
|---|---|---|---|
| Inside | Internal Network | 100 | Highest |
| DMZ | DMZ Network | 50 | Medium |
| Outside | Internet | 0 | Lowest |
In this example, the internal network (security level 100) is fully trusted, and traffic from the internal network can flow to the internet (security level 0) by default. The DMZ (security level 50) is somewhat trusted, more than the internet but less than the internal network.
Practical Implications
- Simplified Access Control: Security levels reduce the need for complex access lists to allow basic traffic flow.
- Default Deny: Traffic initiated from a lower security level to a higher security level is implicitly denied unless explicitly permitted via access lists.
- Flexibility: Allows network administrators to define trust boundaries within their network based on the sensitivity of the resources.
Configuring Security Levels (Conceptual)
While the exact configuration steps depend on the specific firewall model, the general process involves:
- Identifying the interfaces on the firewall.
- Assigning appropriate security levels to each interface based on the network connected to it.
- Configuring access lists to allow traffic from lower security level interfaces to higher security level interfaces, as needed.
Summary
Security levels provide a simple yet effective way to manage traffic flow and enforce security policies on a firewall. By assigning trust levels to different network segments, administrators can easily control the direction of traffic and protect sensitive resources. The ASA defines security levels on interfaces to define how much you trust traffic from that interface. Level 100 is the most trusted and 0 is the least trusted. Some people will use 50 for a DMZ since you trust it more then internet traffic, but less then internal traffic.
