Introduction to the USG9000
At present, the USG9000 can work in three modes: routed mode, transparent mode, and composite mode.
- routing mode In routing mode, the USG9000 uses the layer 3 for external connections, and all interfaces must be assigned with IP addresses. When the USG9000 is located between the internal network and the external network, you need to configure the interfaces, through which the USG9000 is connected with the internal network and the external network, with IP addresses on different network segments and re-plan the network topology. In this case, the USG9000 serves as a router. As shown in Figure 2-1, the USG9000 is connected with the internal network through an interface in the Trust zone, while it is connected with the external network through an interface in the Untrust zone. Note that the interface in Trust zone and the interface in Untrust zone reside in different two subnets.
- transparent mode In transparent mode, the USG9000 uses the layer 2 for external connections, and none of the interfaces can be assigned with IP addresses. In this case, the USG9000 is transparent to users in subnets and routers. That is, users do not feel the existence of the USG9000. As shown in Figure 2-2, the USG9000 is connected with the internal network through interfaces in the Trust zone, while it is connected with the external network through interfaces in the Untrust zone. Note that the internal network and the external network must reside in the same subnet.
- composite mode If there are both interfaces working in routing mode (such interfaces have IP addresses) and interfaces working in transparent mode (such interfaces have no IP address) in the USG9000, the USG9000 is working in composite mode. Composite mode is applied in the case of dual-system hot backup with transparent mode. The interface on which VRRP is enabled needs to be configured with an IP address, and other interfaces do not. Figure 2-3 shows a typical networking in composite mode.
Introduction to Security ZoneZone is a concept introduced in USG9000, which is one of main features distinguishing the USG9000 from the router. For the router, the network security check is performed on interfaces because the networks connected with each interface are equal in security. That is, there is no obvious difference between internal networks and external networks for the router. In this way, when a data stream unidirectionally passes through a router, it may be checked twice on both the inbound interface and the outbound interface to meet the separate security definitions on each interface. However, the USG9000’s situation is different, where internal networks and external networks are clearly defined. The USG9000 protects internal networks from illegal intrusion of external networks. When a data stream passes through a USG9000device, the security operation triggered varies with data stream direction. At this time, it is not suitable to check the security policy on the interface of the USG9000. Therefore, the USG9000 introduces the concept of security zone. A security zone is composed of one or more interfaces with the same security level. The features of the security zones are as follows:
- The security level is denoted by an integer in the range of 1 to 100. The greater the number is, the higher the level is.
- There are no two zones with the same security level.