This chapter covers network segmentation and DMZ architecture, two foundational security controls tested on the CompTIA Network+ N10-009 exam under Objective 4.2 (Network Security). You will learn how to isolate network zones using VLANs, subnets, and firewalls to protect sensitive assets while allowing controlled access to public services. Approximately 10-15% of exam questions touch on segmentation concepts, making this a high-yield topic that requires understanding both theory and practical implementation.
Jump to a section
A DMZ architecture is like an embassy compound. The embassy building itself (internal network) holds sensitive documents and personnel. The public-facing reception area and visa processing center (DMZ) are separate buildings within the compound, accessible from outside but isolated from the main embassy. Visitors (internet traffic) can only enter the reception area; they never walk into the main building. The compound gate (firewall) has two checkpoints: one from the street to the reception area, and another from the reception area to the main building. If a visitor tries to bypass the reception and go directly to the main building, the inner guard stops them. Similarly, if someone inside the main building tries to walk out to the street without going through the reception, the outer guard stops them. The reception area has its own security cameras and locks (separate security controls) but contains no classified documents. This layered isolation ensures that even if the reception area is compromised, the main building remains secure. The key mechanism is that the DMZ is neither fully trusted (internal) nor fully untrusted (external) – it is a buffer zone with strict access controls between zones.
What is Network Segmentation and Why Does It Exist?
Network segmentation is the practice of dividing a computer network into smaller, isolated subnetworks (segments) to improve performance, manageability, and security. On the N10-009 exam, segmentation is primarily a security control: it limits the blast radius of a breach by preventing lateral movement. If an attacker compromises a host in one segment, they cannot freely access hosts in other segments unless explicit firewall rules allow it.
Segmentation is achieved through several technologies: - VLANs (IEEE 802.1Q) – Logical separation at Layer 2. Each VLAN is a separate broadcast domain. Traffic between VLANs must be routed (Layer 3) or firewalled. - Subnetting – Logical IP address division. Devices on different subnets cannot communicate directly without a router or a Layer 3 switch. - Firewalls – Enforce access control policies between segments. They can be stateful, next-generation, or ACLs on routers. - Physical separation – Using separate switches or routers for each segment (rare in modern networks due to cost).
How Segmentation Works Internally
Consider a typical three-tier network: internal (trusted), DMZ (semi-trusted), and external (untrusted).
VLAN Assignment: Each zone is assigned a unique VLAN ID. For example:
- VLAN 10 – Internal (192.168.1.0/24) - VLAN 20 – DMZ (10.0.20.0/24) - VLAN 30 – Guest Wi-Fi (172.16.30.0/24)
Trunking: Switches use trunk ports (802.1Q) to carry multiple VLANs between switches and to the firewall. The firewall receives tagged frames and applies policies based on the VLAN tag.
Routing and Firewalling: A firewall (or Layer 3 switch with ACLs) acts as the gateway for each subnet. It inspects packets and applies rules:
Allow HTTP/HTTPS from external to DMZ web server.
Allow DMZ web server to initiate outbound connections to internal database server (specific ports).
Deny all other traffic from DMZ to internal.
Allow internal users to access internet via NAT.
Default-Deny Policy: The firewall's implicit rule is to deny all traffic that does not match an explicit permit rule. This is critical for security.
Key Components, Values, and Defaults
VLAN IDs: 1-4094 (0 and 4095 reserved). VLAN 1 is the default VLAN – a security best practice is to change the native VLAN on trunk ports to an unused VLAN (e.g., VLAN 999) to prevent VLAN hopping attacks.
Subnet Masks: Common segmentation uses /24 (255.255.255.0) for each segment, but /28 or /29 may be used for small DMZs.
Firewall Defaults: Most firewalls have an implicit deny-all at the end of the rule base. For example, a Cisco ASA with default configuration has access-list global_acl extended deny ip any any.
Stateful Inspection: Firewalls track connection state. For TCP, they allow return traffic only if a corresponding outbound connection exists (using the state table). Default timeout for TCP sessions is typically 60 minutes (Cisco ASA) or 300 seconds (iptables).
Configuration and Verification Commands
Cisco Switch VLAN Configuration:
Switch> enable
Switch# configure terminal
Switch(config)# vlan 10
Switch(config-vlan)# name Internal
Switch(config-vlan)# vlan 20
Switch(config-vlan)# name DMZ
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
Switch(config)# interface gigabitethernet 0/2
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20,30
Switch(config-if)# switchport trunk native vlan 999Verification:
Switch# show vlan brief
Switch# show interfaces trunk
Switch# show running-config | section interface GigabitEthernet0/2Firewall Rule (Cisco ASA example):
access-list OUTSIDE_IN extended permit tcp any host 10.0.20.10 eq 80
access-group OUTSIDE_IN in interface outsideInteraction with Related Technologies
NAT: Often used on the external interface to translate private DMZ IPs to public IPs. The firewall performs NAT before routing.
VPN: Remote access VPNs terminate in the DMZ or on the firewall itself. The VPN concentrator is placed in the DMZ so that encrypted traffic enters the DMZ first, then is inspected before going internal.
IDS/IPS: Often placed in the DMZ to monitor traffic between zones. A network tap or SPAN port sends copies of traffic to the IDS.
Load Balancers: Placed in the DMZ to distribute traffic to multiple web servers. They also perform SSL termination, reducing load on backend servers.
DMZ Architecture Variants
Single Firewall (Three-Legged): One firewall with three interfaces – outside, DMZ, inside. Traffic between zones must pass through the firewall. This is common for small-to-medium businesses.
Dual Firewall (Screened Subnet): Two firewalls – one between internet and DMZ (external firewall) and one between DMZ and internal network (internal firewall). The DMZ sits between them. This is more secure because even if the external firewall is compromised, the internal firewall still protects the internal network. The exam expects you to know that a dual firewall DMZ is called a screened subnet.
Common Pitfalls
Allowing DMZ-to-Internal initiated traffic without restriction: This is a common misconfiguration. DMZ hosts should only be able to initiate connections to internal hosts if absolutely necessary, and only on specific ports (e.g., database port 3306 to a specific internal DB server).
Using the same VLAN for DMZ and internal: This negates segmentation. Always use separate VLANs and subnets.
Forgetting to block inter-VLAN routing on the switch: If the switch is a Layer 3 switch, it may route between VLANs by default. You must configure ACLs or a firewall to control traffic.
Exam-Relevant Numbers
VLAN ID range: 1-4094 (0, 4095 reserved).
Native VLAN: Default is VLAN 1 – change it to an unused VLAN.
Firewall implicit rule: Deny all.
TCP state table timeout: Typically 60 minutes for established connections (varies by vendor).
DMZ subnet: Usually a /24, but /28 is common for small DMZs.
Summary of Mechanism
Segmentation works by creating isolated broadcast domains (VLANs) and IP subnets. A firewall or router with ACLs enforces policies between these domains. The DMZ is a special segment that hosts public-facing services but is isolated from the internal network. Traffic flows: External -> Firewall -> DMZ (if allowed) -> Firewall -> Internal (if explicitly allowed). The key is that no direct communication is allowed between external and internal; all traffic must traverse the DMZ or be explicitly permitted by firewall rules.
Define Security Zones
Identify and label each zone: Untrusted (Internet), Semi-trusted (DMZ), Trusted (Internal), and possibly Restricted (e.g., PCI data). Assign each zone a unique VLAN ID and IP subnet. For example, internal = VLAN 10, 192.168.1.0/24; DMZ = VLAN 20, 10.0.20.0/24; external = VLAN 30, 203.0.113.0/24 (public IPs). Document the purpose of each zone and the types of hosts it contains. This step is critical because all subsequent firewall rules reference these zones.
Configure VLANs on Switches
On each switch, create the VLANs using the `vlan` command. Assign access ports to the correct VLAN for endpoint devices. Configure trunk ports between switches and between switches and the firewall. Set the native VLAN to an unused VLAN (e.g., 999) to prevent VLAN hopping. Use `switchport trunk allowed vlan` to restrict which VLANs traverse the trunk. Verify with `show vlan brief` and `show interfaces trunk`. Ensure that the native VLAN is not used for any user traffic.
Configure Firewall Interfaces and Subinterfaces
On the firewall, assign each physical interface (or subinterface) to a VLAN and IP subnet. For a three-legged firewall, each physical interface maps to one zone. For a router-on-a-stick, create subinterfaces (e.g., `interface GigabitEthernet0/0.10` for VLAN 10). Assign an IP address that serves as the default gateway for that subnet. Set the security level (Cisco ASA) or zone (Palo Alto) – typically internal = 100, DMZ = 50, external = 0. Enable the interface with `no shutdown`.
Write Firewall Rules (Access Control Lists)
Define rules that explicitly permit required traffic and deny everything else. Typical rules: 1) Permit HTTP/HTTPS from any external to DMZ web server IP. 2) Permit DMZ web server to initiate connections to internal database server on port 3306. 3) Permit internal users to access internet via NAT (source NAT). 4) Deny all other traffic. Use the principle of least privilege: only allow specific source/destination IPs and ports. Apply the ACL to the appropriate interface and direction (inbound on external interface for incoming traffic). Remember the implicit deny at the end.
Test and Verify Segmentation
Use tools like ping, traceroute, and telnet to verify isolation. From an external host, ping the DMZ web server – should succeed. Ping the internal network – should fail. From the DMZ web server, attempt to telnet to the internal database server on the allowed port – should succeed. Try telnet to any other internal host – should fail. From an internal host, access the internet – should succeed (via NAT). Check firewall logs for denied packets. Verify that no traffic bypasses the firewall (e.g., direct switch routing). Use `show access-list` and `show firewall log` to confirm rule hits.
Enterprise Scenario 1: E-Commerce Platform
A large e-commerce company hosts its public website, payment gateway, and customer portal in a DMZ. The internal network contains the order database, inventory system, and employee workstations. The DMZ uses a dual-firewall (screened subnet) architecture. The external firewall allows only HTTP/HTTPS (ports 80, 443) to the web servers and a specific port for the payment gateway to communicate with the payment processor. The internal firewall allows only the web servers to connect to the database server on port 3306 (MySQL). All other traffic from DMZ to internal is blocked. This setup ensures that even if a web server is compromised (e.g., via SQL injection), the attacker cannot pivot to the internal database because the internal firewall only allows traffic from the web server's IP to the database IP on a single port. The company also uses VLANs to separate the DMZ subnets: web servers on VLAN 20, payment gateway on VLAN 21, and internal on VLAN 10. Performance is not an issue because the firewall (a next-generation firewall) can handle 10 Gbps throughput. Common misconfiguration: allowing DMZ hosts to initiate outbound connections to the internet (e.g., for updates) without restriction – this can be used as a C2 channel. The fix is to force updates through a proxy in the DMZ or use a separate update server.
Enterprise Scenario 2: Healthcare Organization
A hospital network must comply with HIPAA. They segment the network into: Patient Data (VLAN 10), Medical Devices (VLAN 20), Guest Wi-Fi (VLAN 30), and DMZ for patient portal (VLAN 40). The DMZ hosts the patient portal web server and an API gateway. The firewall rules are strict: only HTTPS (443) from internet to DMZ, and only the DMZ API gateway can access the internal database on VLAN 10 (port 1433 for SQL Server). No other traffic from DMZ to internal is allowed. Medical devices (VLAN 20) are isolated from the internet entirely – they can only communicate with a central monitoring server in the internal network. Guest Wi-Fi has internet access only, with no access to internal or DMZ. The network uses 802.1X authentication on wired ports to enforce VLAN assignment based on user role. A common issue is that medical devices often use hardcoded IPs and cannot be easily re-subnetted; in that case, a Layer 2 firewall (e.g., a bridge firewall) is used to filter traffic between VLANs without changing IPs.
What Goes Wrong When Misconfigured
Flat network: No segmentation – a single breach compromises everything.
Overly permissive firewall rules: Allowing 'any any' between DMZ and internal – attackers can pivot easily.
VLAN hopping: Using default native VLAN (1) on trunks – attackers can send double-tagged frames to access other VLANs.
Forgotten implicit allow: Some firewalls have an implicit allow for traffic from higher security level to lower (e.g., Cisco ASA allows internal to DMZ by default). If not explicitly denied, internal users can access DMZ servers without restriction, which may be undesirable.
Incorrect subnet mask: Overlapping subnets cause routing issues and can bypass firewall rules.
What N10-009 Tests on Network Segmentation and DMZ
This topic falls under Objective 4.2 – Network Security (specifically 4.2.1: Given a scenario, apply network segmentation and DMZ architecture). The exam expects you to:
Identify the purpose of a DMZ (to host public-facing services while isolating the internal network).
Describe the difference between a three-legged firewall DMZ and a screened subnet (dual firewall) DMZ.
Understand that VLANs create separate broadcast domains and that inter-VLAN communication requires a router or Layer 3 switch.
Know that the implicit rule in a firewall is 'deny all'.
Recognize that segmentation limits the scope of a security breach (lateral movement).
Common Wrong Answers and Why Candidates Choose Them
'A DMZ is used to connect two different networks.' – Wrong. That is a WAN link or router. Candidates confuse DMZ with a transit network.
'VLANs provide Layer 3 isolation.' – Wrong. VLANs are Layer 2 broadcast domain isolation. Layer 3 isolation requires separate subnets and routing.
'The firewall should allow all traffic from the DMZ to the internal network because the DMZ is semi-trusted.' – Wrong. The DMZ is semi-trusted only in that it is more trusted than the internet, but it should still be restricted. Candidates overestimate trust.
'A screened subnet uses one firewall.' – Wrong. A screened subnet uses two firewalls. Candidates confuse it with a three-legged firewall.
Specific Numbers and Terms on the Exam
VLAN ID range: 1-4094 (0 and 4095 reserved).
Native VLAN: Default is 1 – change it to an unused VLAN (e.g., 999).
Implicit deny: The last rule in a firewall ACL.
Screened subnet: Another name for dual-firewall DMZ.
Three-legged firewall: One firewall with three interfaces (outside, DMZ, inside).
Broadcast domain: A VLAN creates a separate broadcast domain.
Edge Cases and Exceptions
Virtual DMZ: In cloud environments (AWS, Azure), a DMZ can be implemented using security groups and VPCs. The exam may ask about cloud segmentation.
Guest Wi-Fi: Often placed in a separate VLAN/subnet with internet-only access – this is a form of segmentation.
Industrial control systems (ICS): Use a 'Purdue model' with multiple levels of segmentation. The exam may reference this as an example.
How to Eliminate Wrong Answers
Always ask: 'Does this option isolate traffic between zones?' If it allows direct communication between untrusted and trusted without a firewall, it is wrong. Look for keywords like 'broadcast domain', 'implicit deny', 'screened subnet'. If the question mentions a DMZ, remember it is for public services, not for internal client isolation.
Network segmentation divides a network into isolated segments to limit the blast radius of a security breach.
VLANs (IEEE 802.1Q) provide Layer 2 isolation; inter-VLAN communication requires a router or Layer 3 switch.
A DMZ is a semi-trusted zone that hosts public-facing services (web, email, DNS) and is isolated from the internal network.
The implicit rule in a firewall ACL is 'deny all' – all traffic is blocked unless explicitly permitted.
A screened subnet DMZ uses two firewalls for defense in depth.
Always change the native VLAN on trunk ports from default VLAN 1 to an unused VLAN to prevent VLAN hopping.
Firewall rules should follow the principle of least privilege: only allow specific source/destination IPs and ports.
Segmentation is a key control for compliance (PCI DSS, HIPAA) and is tested on N10-009 under Objective 4.2.
These come up on the exam all the time. Here's how to tell them apart.
Three-Legged Firewall DMZ
Uses one firewall with three interfaces (outside, DMZ, inside).
Lower cost – only one firewall device needed.
Simpler configuration – all rules on one device.
Single point of failure – if firewall is compromised, all zones are exposed.
Suitable for small-to-medium businesses with limited budget.
Screened Subnet (Dual Firewall) DMZ
Uses two firewalls – one between internet and DMZ, one between DMZ and internal.
Higher cost – two firewall devices and more cabling.
More complex configuration – rules must be coordinated on both firewalls.
Defense in depth – even if external firewall is breached, internal firewall still protects internal network.
Suitable for large enterprises and high-security environments.
Mistake
A DMZ is the same as a perimeter network.
Correct
They are often used interchangeably, but a perimeter network is any network that sits between the internet and the internal network. A DMZ is a specific type of perimeter network that hosts public-facing services. The exam may treat them as synonyms, but technically a DMZ is a subset of perimeter networks.
Mistake
VLANs provide security because they isolate traffic at Layer 2.
Correct
VLANs isolate broadcast domains, but they do not provide security by themselves. Traffic can still be routed between VLANs if a router or Layer 3 switch is configured. Security requires ACLs or firewall rules to control inter-VLAN traffic. Additionally, VLAN hopping attacks can bypass isolation.
Mistake
A three-legged firewall DMZ is more secure than a screened subnet.
Correct
A screened subnet (dual firewall) is more secure because it provides defense in depth. If the external firewall is compromised, the internal firewall still protects the internal network. A three-legged firewall has a single point of failure.
Mistake
The DMZ should have the same security level as the internal network because both are trusted.
Correct
The DMZ is semi-trusted. It is more exposed to the internet and should have stricter controls. Treating it as fully trusted defeats the purpose of segmentation.
Mistake
Network segmentation only applies to wired networks.
Correct
Segmentation applies to wireless networks too. For example, guest Wi-Fi is typically placed in a separate VLAN/subnet with only internet access. 802.1Q VLAN tagging can be used on wireless controllers to assign SSIDs to VLANs.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A VLAN is a Layer 2 broadcast domain, while a subnet is a Layer 3 IP network. VLANs are used to segment traffic at Layer 2; subnets segment at Layer 3. Typically, each VLAN is mapped to a unique subnet. Devices in the same VLAN can communicate directly (Layer 2); devices in different VLANs must communicate via a router (Layer 3). On the exam, remember that VLANs provide broadcast domain isolation, and subnets provide IP address range isolation.
VLAN 1 is the default native VLAN on Cisco switches. If left unchanged, an attacker can perform a VLAN hopping attack by sending double-tagged 802.1Q frames. The first tag is stripped by the switch, and the second tag allows the frame to enter VLAN 1, potentially accessing other VLANs. Changing the native VLAN to an unused VLAN (e.g., 999) prevents this attack. This is a common exam point.
Yes. In AWS, you can create a VPC with public subnets (DMZ) and private subnets (internal). Security groups and network ACLs act as firewalls to control traffic between subnets. For example, a web server in the public subnet can be accessed from the internet (port 80/443), but the database in the private subnet can only be accessed from the web server's security group. This is a virtual DMZ.
A screened subnet (dual firewall DMZ) provides an extra layer of security. The external firewall filters traffic from the internet to the DMZ, and the internal firewall filters traffic from the DMZ to the internal network. If the external firewall is compromised, the internal firewall still protects internal assets. It is more secure than a three-legged firewall DMZ.
When a DMZ host initiates a connection to an internal host (if allowed), the firewall creates a state table entry. Return packets from the internal host are matched against this entry and allowed automatically. The firewall does not need a separate rule for return traffic. Stateful inspection uses the state table to track connections; the default timeout for TCP established connections is typically 60 minutes.
A DMZ is a network segment that sits between the internet and the internal network, hosting public services. An extranet is a network that allows controlled access from external partners (e.g., suppliers) to specific internal resources, often via VPN. An extranet may use a DMZ for termination points, but they are not the same.
The command `show vlan brief` displays a list of all VLANs, their names, and which ports are assigned to each VLAN. `show interfaces trunk` shows trunk ports and allowed VLANs. These are essential for verification on the exam and in real life.
You've just covered Network Segmentation and DMZ Architecture — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?