Compliance Zones
Compliance zones must be configured in order to use the Allowed Service and Service Risk Analysis controls. These controls check whether a service is allowed from one network zone to another. These zones are not the same as your firewall zones. These zones are used in Security Manager to define security area of your network.
A compliance zone is a label given to one interface or multiple interfaces that designates it as a security area within a network. The device or devices in a zone share characteristics that allow them to be grouped together so that only traffic that satisfies certain policy restrictions can enter or exit the zone. Multiple interfaces can be bound to one zone, but a single interface can only be tied to one zone. Security Manager imports zone information from your network.
The Security Intelligence Platform manages two categories of zones: compliance zones, which are groups of devices that all must meet the same compliance requirements, such as a zone of devices on a network for a hospital that must meet HIPAA requirements, and firewall zones, which are defined in the firewall itself and can be viewed in Security Manager.
Several reports use zone definitions as an integral analysis component, including the PCI Report. As such, zones must be defined with network IP addresses to produce accurate report results.
The Security Intelligence Platform installs with zones that must be defined. To define a zone is to add IP addresses of interfaces that make up the boundaries of the network zones.
Security Manager installs with the following virtual and system zones. Additionally, you can also create a zone and then define it.
Note that:
- Zones can be defined at the enterprise or customer domain level (for MSSPs).
- A zone can be a collection of network objects (networks, hosts, groups, etc.)
- A zone does not contain other zones.
- Zones should not overlap with other zones.
| Type | Function | |
|---|---|---|
| All | Virtual Zone | |
| Any | Virtual Zone | |
| External | System Zone | Outside of the network. |
| Internal | System Zone | Inside the network. |
| DMZ | System Zone | Demilitarized Zone |
| BES | System Zone | Bulk Electric System cyber systems. |
| ICS | System Zone |
|
| PCI | System Zone | Payment Card Management zones for management, network, and wireless network. |
| Partner | System Zone | Used for third-party compliance. |
| Unused Zone | System Zone | Zones within the network that are not being used. |
| ePHI | System Zone | Electronic Protected Health Information. |
Virtual Zones: You can only edit the color.
System Zones: You can only manage network segments and edit the color.
Open the Compliance Zones Page
To open the Compliance Zones page, on the toolbar, click FireMon Objects > Compliance Zones.
Compliance Zones List
The following table defines the values in the Compliance Zones table. The order listed is ascending by Name, but can also be sorted by Description.
| Value | Description |
|---|---|
| Name | The name given the zone. |
| Description | A description of the zone. |
| Network Segments | The number of network segments assigned to the zone. |
|
Action menu with options for tasks to complete at the compliance zone level. |