Currently, all Layer2 security devices (e.g., security gateways) utilize a concept of a “security zone” that operate within a single device. FIG. 1 illustrates a traditional security zone with its associated security gateway (e.g., a firewall). The security gateway implements the security zone by performing zone securing screening and protection on the network traffic. As part of the zone securing screening, the security gateway determines whether the network traffic that is coming in on one of its ingress physical ports is from a trusted or untrusted source and whether it's going out one of its egress physical ports to a trusted or untrusted destination. Based on these determinations, the security gateway applies a policy to determine whether the network traffic should be allowed to proceed to its destination.
The current security zone architecture is deficient for a number of reasons when used in a distributed network environment in which distributed networking traffic is passed between different network devices. For example, the current L2 security zone concept has no idea that the hosts may not be local, and hence it may need another software layer to determine the packet egress path to those hosts. Furthermore, by looking at the security session information, the user/administer has no way to know the where the host is located. Lastly, the user/administer does not have a way to define a security policy across devices for finer security control. For example, the administer can't define a inter-device L2 security zone policy.