This chapter covers security zone design and segmentation, a core topic in CompTIA Network+ N10-009 Objective 4.2. Understanding how to logically and physically separate network assets into zones is critical for minimizing attack surface and containing breaches. Expect 5-10% of exam questions to test your knowledge of DMZ placement, VLAN segmentation, firewall rules, and best practices for securing network boundaries.
Jump to a section
A bank has multiple security zones: the public lobby (untrusted), the teller area (controlled), the vault room (restricted), and the safety deposit box area (isolated). Each zone has specific access controls. The lobby is open to anyone, but to enter the teller area, you need a key card. The vault room requires biometric authentication and a two-person rule. The safety deposit box area is further segmented so each customer can only access their own box. Network security zones work the same way: the Internet is the public lobby, a DMZ is the teller area (accessible but monitored), internal LAN is the vault room (restricted access), and sensitive data VLANs are safety deposit boxes (isolated per user/group). Firewalls enforce rules between zones, just like bank security guards and locked doors. VLANs and ACLs segment traffic within a zone, like separate corridors for different bank employees. This layered approach ensures that even if an attacker breaches one zone, they cannot easily move to the next without proper credentials.
What Are Security Zones and Why Do They Exist?
Security zones are logical or physical segments of a network that group assets with similar security requirements. The primary goal is to enforce the principle of least privilege: users and devices in one zone should only access resources in another zone if explicitly permitted. This limits the blast radius of a compromise—if an attacker gains control of a host in a low-security zone, they cannot freely pivot to high-security zones.
The concept originates from the military's need to classify information (e.g., unclassified, confidential, secret, top secret). In networking, we apply similar classifications: untrusted (Internet), semi-trusted (DMZ), trusted (internal LAN), and highly restricted (PCI, HIPAA, or proprietary data segments).
How Security Zones Work Internally
Segmentation is achieved through a combination of:
Firewalls: Deployed at zone boundaries to inspect and filter traffic based on stateful inspection, application-layer filtering, or next-generation firewall (NGFW) capabilities. Each firewall interface is assigned to a security zone, and policies define what traffic is allowed from one zone to another.
VLANs: Layer 2 segmentation using IEEE 802.1Q tags. Devices in different VLANs cannot communicate without a Layer 3 device (router or Layer 3 switch) that enforces ACLs. VLANs are often mapped to security zones.
ACLs: Applied on routers, switches, and firewalls to permit or deny traffic based on source/destination IP, port, protocol, or application.
VRFs: Virtual Routing and Forwarding creates separate routing tables on the same router, providing Layer 3 isolation. VRFs are used in MPLS networks to create customer-specific zones.
Physical separation: Dedicated hardware for different trust levels (e.g., separate switches for production vs. management networks).
Key Components, Values, Defaults, and Timers
Firewall default policy: Most firewalls default to deny-all inbound traffic. For example, a typical Cisco ASA default rule is deny ip any any on the outside interface.
VLAN default: All ports on a switch default to VLAN 1 (the default VLAN). Best practice: change the native VLAN to an unused VLAN (e.g., VLAN 999) to prevent VLAN hopping.
802.1Q trunk port: Default native VLAN is 1. Trunk ports carry multiple VLANs; frames are tagged except for the native VLAN.
DMZ subnet: Typically a /24 network (e.g., 10.0.1.0/24) placed between two firewalls or on a separate firewall interface.
Stateful firewall timeout: Typical TCP session timeout is 3600 seconds (1 hour) for established connections; UDP timeout is 30 seconds. These values are configurable.
ACL order: ACLs are processed top-down. The first matching rule is applied. An implicit deny all is at the end of every ACL.
Configuration and Verification Commands
Cisco IOS ACL example (extended ACL on router):
access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 10.0.0.10 eq 80
access-list 100 deny ip any any
interface GigabitEthernet0/0
ip access-group 100 inCisco ASA firewall zone configuration:
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 203.0.113.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 10.0.1.1 255.255.255.0Verification commands:
show access-list
show running-config | include access-list
show vlan brief
show interfaces trunk
show firewall (on ASA: show asp inspect)How Zones Interact with Related Technologies
VPNs: Create encrypted tunnels that traverse untrusted zones. Remote access VPNs place users into a specific zone (e.g., VPN zone) with restricted access.
NAC: Network Access Control (e.g., 802.1X) dynamically assigns endpoints to VLANs/zones based on authentication and posture assessment. A non-compliant device may be placed in a quarantine VLAN.
SDN: Software-Defined Networking centralizes zone policy management. Controllers can dynamically adjust ACLs and VLAN assignments.
Cloud: Virtual Private Clouds (VPCs) in AWS/Azure are analogous to zones. Security groups and network ACLs enforce segmentation at the instance and subnet level.
Common Zone Architectures
Three-tier DMZ: Web servers in DMZ, application servers in internal LAN, database servers in a separate restricted zone. Firewalls between each tier.
Bastion host: A hardened server in the DMZ that manages SSH/RDP access to internal servers. All administrative traffic must go through the bastion.
Guest Wi-Fi: Separate VLAN and SSID with no access to internal resources, only Internet access. Often uses captive portal authentication.
Management zone: Out-of-band management network for switches, routers, firewalls, and servers. Isolated from production traffic.
Traffic Flow Example: Web Request from Internet to DMZ
User sends HTTP request to public IP of web server.
Firewall's outside interface receives packet. It matches a rule allowing HTTP from any to DMZ web server.
Firewall performs NAT (if configured) to translate public IP to DMZ server's private IP.
Packet is forwarded to DMZ interface. Web server processes request.
Response is sent back through firewall, which maintains state table entry.
Firewall rewrites destination IP back to public IP and forwards to Internet.
Common Pitfalls
Overly permissive rules: Allowing "any any" between zones defeats segmentation.
Missing implicit deny: Relying on ACL order without an explicit deny at the end can lead to unintended access.
VLAN hopping attacks: Attackers can exploit default native VLAN or double-tagging to bypass segmentation. Mitigation: disable DTP, set native VLAN to unused, and use dedicated trunk ports.
Misconfigured security levels: On Cisco ASA, traffic from higher security level to lower is allowed by default; from lower to higher is denied. Incorrectly setting levels can open unintended paths.
Best Practices
Use a firewall with multiple interfaces for each zone.
Apply the principle of least privilege: only allow required ports/protocols.
Regularly audit ACLs and remove stale rules.
Use VLANs for internal segmentation and firewalls for inter-zone traffic.
Implement logging and monitoring on zone boundaries.
Segment management traffic from production traffic.
For PCI DSS compliance, ensure cardholder data is in a separate zone with strict access controls.
Identify Assets and Trust Levels
Classify all network assets (servers, workstations, IoT devices, etc.) into trust levels: untrusted (Internet), semi-trusted (public-facing servers), trusted (internal users), and highly restricted (databases with PII). Document data flows between these groups. This step is critical for defining zone boundaries. For example, a web server that accepts HTTPS from the Internet belongs in a DMZ, while a database server that stores credit card numbers belongs in a restricted zone with no direct Internet access.
Design Zone Topology
Determine the physical or logical placement of zones. Common designs include a single firewall with three interfaces (outside, inside, DMZ) or a pair of firewalls (front-end and back-end) creating a DMZ network sandwiched between them. In a multi-tier architecture, place web servers in the DMZ, application servers in a separate internal zone, and databases in a back-end zone. Each zone should be on a separate subnet and VLAN. Use RFC 1918 private IP addresses for internal zones.
Configure VLANs and Subnets
Create VLANs for each zone on the switches. For example, VLAN 10 for DMZ (subnet 10.0.10.0/24), VLAN 20 for internal LAN (192.168.20.0/24), VLAN 30 for restricted data (172.16.30.0/24). Assign switch ports to the appropriate VLANs. Configure trunk ports between switches and to the firewall. Set the native VLAN to an unused VLAN (e.g., VLAN 999) to prevent VLAN hopping. Verify with `show vlan brief`.
Deploy Firewall and Set Security Levels
Assign each firewall interface to a zone with a security level (0-100). On Cisco ASA, outside=0, DMZ=50, inside=100. Higher levels trust traffic more. Traffic from higher to lower is allowed by default (if stateful), while lower to higher is denied. Create explicit ACLs to permit necessary traffic. For example, allow HTTP/HTTPS from outside to DMZ, and allow SQL from DMZ to inside database server on a specific port. Always end with an implicit deny.
Implement Access Control Lists
Write ACLs for each zone boundary. Use extended ACLs on routers or firewall rules on the firewall. For example, to allow HTTP from Internet to DMZ web server: `access-list 100 permit tcp any host 10.0.10.10 eq 80`. Apply the ACL inbound on the outside interface. For internal zones, restrict management access to only authorized admin subnets. Use object groups to simplify management. Test with `show access-list` to see hit counts.
Enable Logging and Monitoring
Configure logging on firewall and switches for zone boundary traffic. Send syslog to a SIEM. Enable logging for denied packets to detect scanning or attacks. Set up alerts for unusual traffic patterns. For example, on Cisco IOS: `logging buffered 4096` and `access-list 100 permit tcp ... log`. Monitor firewall logs to verify that only permitted traffic flows. Regularly review logs for policy violations.
Test and Validate Segmentation
Use tools like ping, traceroute, and port scanners (e.g., Nmap) from each zone to verify that only expected traffic is allowed. For example, from a workstation in the internal LAN, attempt to connect to the DMZ web server on port 443 (should succeed) and to the database server on port 3306 (should fail). Check that Internet hosts cannot initiate connections to internal IPs. Verify that ACLs are effective by generating test traffic and checking hit counts.
Document and Maintain
Create a zone diagram showing subnets, VLANs, firewall interfaces, and rule sets. Document the purpose of each rule and the business justification. Schedule periodic reviews (e.g., quarterly) to remove obsolete rules. Use version control for configuration files. Train staff on zone change procedures. Maintain a change log for all segmentation modifications.
Scenario 1: E-commerce Company with PCI DSS Compliance
An online retailer must protect credit card data. The network is segmented into three zones: DMZ (web servers), internal LAN (application servers), and restricted zone (database servers storing cardholder data). The firewall between DMZ and internal LAN only allows HTTPS from web to app servers on a specific port (e.g., 8443). The firewall between internal LAN and restricted zone only allows SQL traffic from app servers to database servers on port 3306, and only from specific source IPs. Management access to the restricted zone is via a bastion host in the DMZ that requires SSH key authentication and logs all sessions. This design meets PCI DSS requirement 1.2.1: "Restrict traffic between trusted networks and untrusted networks." Misconfiguration: If the firewall inadvertently allows SSH from the internal LAN to the database zone, an attacker who compromises an app server could pivot to the database. Common scale: The company has 10 web servers, 5 app servers, and 2 database servers, handling 50,000 transactions per day. Performance considerations: Stateful firewall inspection adds microseconds of latency; ensure firewall throughput exceeds peak traffic (e.g., 1 Gbps).
Scenario 2: Hospital with HIPAA Requirements
A hospital network separates patient records (EHR) from guest Wi-Fi and medical devices. Zone A: Guest Wi-Fi (VLAN 100) - only Internet access, no access to internal resources. Zone B: Medical devices (VLAN 200) - isolated from other zones, but must communicate with a central monitoring server in Zone C. Zone C: Internal LAN (VLAN 300) - includes workstations and the monitoring server. Zone D: EHR database (VLAN 400) - only accessible from specific application servers in Zone C. Firewall rules: Allow from Zone B to Zone C on port 443 (HTTPS) to the monitoring server only. Allow from Zone C to Zone D on port 1433 (SQL) from app server IPs only. Deny all other traffic. Problem: A nurse's workstation in Zone C gets infected with malware. Because segmentation is in place, the malware cannot reach the EHR database directly—it must go through the app server, which has additional authentication. Misconfiguration: If the firewall rule for Zone B is too broad (e.g., allow any to any), an attacker could use a compromised medical device to scan the internal LAN. Performance: Medical devices generate continuous telemetry; ensure firewall can handle 10,000+ small packets per second.
Scenario 3: Multi-tenant Data Center
A colocation provider offers isolated environments for multiple customers. Using VRFs on routers and VLANs on switches, each customer gets their own zone. Inter-VRF traffic is blocked unless explicitly permitted via route leaking. For example, Customer A's VRF (VLAN 10-19) cannot see Customer B's VRF (VLAN 20-29). The provider also segments management traffic (VLAN 999) from customer traffic. A firewall at the edge enforces policies between customer zones and the Internet. Common issue: Misconfigured route leaking accidentally exposes one customer's routes to another. To prevent this, use separate routing tables and apply strict import/export route maps. Scale: 100+ customers, each with multiple VLANs. Firewall must support 10,000+ concurrent sessions per customer.
What N10-009 Tests
Objective 4.2 specifically covers "Given a scenario, implement network segmentation." The exam expects you to understand:
Zone types: DMZ, intranet, extranet, guest network, honeynet, quarantine (NAC).
Segmentation methods: VLANs, VRFs, ACLs, firewall rules, subnetting, physical separation.
Best practices: Default deny, least privilege, separation of management and data planes.
Common misconfigurations: VLAN hopping (native VLAN attack), missing ACL deny, overly permissive firewall rules.
Common Wrong Answers and Why
"Place the web server in the internal LAN to protect it." Wrong because internal LAN has less restrictive outbound rules; a compromised web server could then attack internal hosts. The correct placement is DMZ.
"Use a single VLAN for all devices to simplify management." Wrong because this eliminates segmentation, allowing any device to reach any other. The exam expects segmentation for security.
"Set all firewall security levels to 100 for maximum security." Wrong because traffic between interfaces with the same security level is blocked by default on ASA; you need different levels to allow traffic flow. The correct approach is to assign appropriate levels (0, 50, 100) and use ACLs.
"ACLs should be applied outbound to filter incoming traffic." Wrong because inbound ACLs filter traffic before it reaches the router, reducing unnecessary processing. The exam tests directionality.
Numbers and Values to Memorize
Security level range: 0 (least trusted) to 100 (most trusted).
Default native VLAN: 1 (change it).
Common DMZ subnet: /24.
Firewall default rule: Deny all inbound.
ACL implicit rule: Deny all at the end.
802.1Q tag size: 4 bytes (2 bytes TPID, 2 bytes TCI).
Edge Cases and Exceptions
Traffic between same security level: On Cisco ASA, by default, traffic between interfaces with the same security level is blocked. To allow it, you must enable same-security-traffic permit inter-interface.
VLAN 1: Carries CDP, VTP, PAgP, DTP by default. Using VLAN 1 for user traffic is a security risk.
Private VLANs: Used to isolate ports within the same VLAN (e.g., isolated port can only talk to promiscuous port). Not common on N10-009 but may appear.
How to Eliminate Wrong Answers
If a question asks where to place a public web server, eliminate answers that put it in the internal LAN or on the outside (Internet) without a firewall.
If a question asks about preventing VLAN hopping, eliminate answers that suggest using VLAN 1 as native or enabling DTP on access ports.
If a question asks about firewall rules, look for the order: specific rules before general, and an explicit deny at the end.
For segmentation methods, remember that VLANs work at Layer 2, ACLs at Layer 3/4, and firewalls at multiple layers.
Security zones group assets with similar trust levels; segmentation enforces least privilege.
Common zones: Internet (untrusted), DMZ (semi-trusted), internal LAN (trusted), restricted (highly trusted).
Firewall default rule: deny all inbound; ACL implicit deny at end.
VLANs operate at Layer 2; use 802.1Q tagging. Change native VLAN from 1 to prevent hopping.
Cisco ASA security levels: 0 (outside), 50 (DMZ), 100 (inside).
DMZ must be placed on a separate firewall interface or between two firewalls.
Guest Wi-Fi should be on a separate VLAN with no access to internal resources.
Management traffic should be on a dedicated VLAN/zone (out-of-band).
Always place specific ACL rules before general ones; order matters.
Document zone architecture and review ACLs regularly.
NAC can dynamically assign devices to quarantine zones based on posture.
VRFs provide Layer 3 isolation on the same router.
These come up on the exam all the time. Here's how to tell them apart.
VLAN Segmentation
Operates at Layer 2 (MAC address-based).
No traffic filtering between VLANs without a Layer 3 device.
Isolation is logical; vulnerable to VLAN hopping.
Low latency; hardware-based switching.
Best for internal network segmentation (e.g., departments).
Firewall Segmentation
Operates at Layer 3/4 (IP address/port-based).
Stateful inspection; can block or allow specific traffic.
Stronger security; can inspect application layer (NGFW).
Higher latency due to processing; may require dedicated hardware.
Best for zone boundaries (e.g., DMZ to internal).
Mistake
VLANs provide complete security isolation.
Correct
VLANs are logical segmentation at Layer 2, but they can be bypassed via VLAN hopping attacks (double tagging, switch spoofing). True isolation requires firewalls and ACLs at Layer 3/4.
Mistake
A DMZ is a single subnet with all public servers.
Correct
A DMZ can be multiple subnets (e.g., web DMZ, application DMZ) with different security levels. Best practice is to separate tiers within the DMZ.
Mistake
Firewall security levels alone control all traffic.
Correct
Security levels define default behavior (higher to lower allowed), but explicit ACLs are still needed for granular control. Traffic between same levels is blocked unless configured otherwise.
Mistake
ACLs are applied in any order; the most specific rule is used.
Correct
ACLs are processed sequentially top-down. The first matching rule is applied, regardless of specificity. Always place more specific rules before general ones.
Mistake
Guest Wi-Fi should have full Internet access with no restrictions.
Correct
Guest Wi-Fi should be isolated from internal resources, but it should still have basic security controls like DNS filtering, bandwidth limits, and possibly a captive portal.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A DMZ (demilitarized zone) is a network segment that exposes public-facing services (web, email, DNS) to the Internet, while protecting the internal LAN. An intranet is a private network internal to an organization, accessible only by employees. The DMZ is semi-trusted; the intranet is trusted. On the exam, remember that DMZ hosts are accessible from the Internet but isolated from internal hosts.
VLAN hopping can occur via switch spoofing (attacker pretends to be a trunk) or double tagging. Mitigations: disable Dynamic Trunking Protocol (DTP) on access ports (set to `switchport mode access`), set the native VLAN to an unused VLAN (e.g., VLAN 999), and explicitly prune unused VLANs on trunk links. Also, use dedicated trunk ports and avoid using VLAN 1.
The default security level is 0 for all interfaces unless explicitly configured. Common practice: outside=0, DMZ=50, inside=100. Traffic from higher to lower is allowed by default (stateful); lower to higher is denied. You must configure ACLs to permit traffic from lower to higher.
No. VLANs provide logical separation at Layer 2, but they do not filter traffic. Devices in different VLANs can still communicate via a router or Layer 3 switch if routing is enabled. To enforce security, you need ACLs on the Layer 3 device or a firewall between VLANs.
A honeynet is a decoy network that mimics a real network to attract attackers. It is isolated from the production network and monitored to study attack techniques. On the exam, honeynets are considered a type of security zone (low trust) used for threat intelligence.
Network Access Control (NAC) can dynamically assign endpoints to specific VLANs/zones based on authentication, device posture, or compliance. For example, a non-compliant device may be placed in a quarantine VLAN with limited access until it is remediated.
A stateful firewall tracks the state of connections (e.g., TCP handshake) and allows return traffic automatically. An ACL is stateless; it examines each packet individually and requires explicit rules for return traffic. Stateful firewalls are more secure and easier to manage.
You've just covered Security Zone Design and Segmentation — now see how well it sticks with free N10-009 practice questions. Full explanations included, no account needed.
Done with this chapter?