You are viewing a free preview of this lesson.
Subscribe to unlock all 10 lessons in this course and every other course on LearningBro.
Network zoning is the practice of dividing a network into distinct segments based on trust levels, function, and security requirements. The DMZ (Demilitarised Zone) is the most well-known zone — a segregated area between the external internet and the internal network that hosts public-facing services.
A flat network with no internal boundaries allows an attacker who compromises a single system to move freely to any other system. Network zones contain breaches by creating boundaries that require explicit permission to cross.
| Problem | Solution |
|---|---|
| Lateral movement after initial compromise | Zone boundaries restrict east-west traffic |
| All servers exposed to all users | Only necessary traffic flows between zones |
| Single breach compromises everything | Blast radius limited to the compromised zone |
| Compliance requirements (PCI DSS, ISO 27001) | Documented zones demonstrate control |
| Zone | Trust Level | Purpose | Examples |
|---|---|---|---|
| External (Internet) | Untrusted | Public internet traffic | Any external source |
| DMZ | Semi-trusted | Public-facing services | Web servers, mail relays, DNS servers |
| Internal / Corporate | Trusted | Employee workstations, printers, internal apps | User PCs, internal web apps |
| Server / Data Centre | High trust | Backend servers and databases | Application servers, database servers |
| Management | Highest trust | Network device administration | Switch/router consoles, firewall management |
| Guest | Untrusted | Visitor internet access | Guest Wi-Fi, contractor access |
| IoT / OT | Low trust | Internet of Things and operational technology | Cameras, sensors, SCADA systems |
| Development / Staging | Medium trust | Testing and development environments | Dev servers, CI/CD pipelines |
The DMZ is a network zone that sits between the external internet and the internal network. It hosts services that must be accessible from the internet but should not have direct access to internal systems.
Internet
│
▼
┌─────────────────┐
│ External Firewall│
└────────┬────────┘
│
┌────────▼────────┐
│ DMZ │
│ │
│ [Web Server] │
│ [Mail Relay] │
│ [Reverse Proxy] │
│ [Public DNS] │
└────────┬────────┘
│
┌────────▼────────┐
│ Internal Firewall│
└────────┬────────┘
│
┌────────▼────────┐
│ Internal Network │
│ │
│ [App Servers] │
│ [Databases] │
│ [User PCs] │
└──────────────────┘
| Direction | Rule | Rationale |
|---|---|---|
| Internet to DMZ | Allow specific services only (HTTP, HTTPS, SMTP, DNS) | Public services need external access |
| DMZ to Internal | Deny by default; allow only specific, required connections | DMZ servers should not initiate internal connections freely |
| Internal to DMZ | Allow management and updates | Admins need to manage DMZ servers |
| DMZ to Internet | Restrict to necessary outbound (DNS, updates) | Prevent compromised DMZ servers from reaching C2 |
| Internet to Internal | Deny all | No direct path from internet to internal |
Subscribe to continue reading
Get full access to this lesson and all 10 lessons in this course.