Deep ThoughtsBlog
← Back to all writing

Network+ Exam

Segmentation Zones

October 29, 2025

  • #network+

Segmentation Zones

We can set up rules based on zones.

Trusted - intranet or the local area network.

Untrusted - internet or external network.

screened subnet - connects devices that should have restricted access from the untrested or outside zone. the inbetween zone. the part where we segmetn off the screened subnet, weberver, email server,

Screened subnet - email serer or weberever. open up port 80 and 443 25 ect.. on those servers. but not on the internal network. you allow the servers on the internel subnet are allowed. IDS IPS Firewalls Unified threat management.

🌐 Segmentation Zones

Why it matters:

Segmentation improves security and performance by isolating traffic into logical/physical zones. Firewalls and ACLs enforce the boundaries.

πŸ”‘ Key Zones

  • Trusted Zone
    • Internal LAN (intranet).
    • Users, workstations, internal file/app servers.
    • High trust; minimal exposure to outside threats.
  • Untrusted Zone
    • External/public networks (Internet).
    • Considered hostile β€” all inbound traffic blocked by default.
  • Screened Subnet (DMZ / Demilitarized Zone)
    • Buffer zone between Trusted and Untrusted.
    • Hosts public-facing servers: web server (80/443), email server (25), DNS, FTP, etc.
    • Rules:
      • Allow outside users β†’ DMZ servers only (specific ports).
      • Prevent outside users β†’ Internal LAN.
      • Internal users β†’ DMZ servers (as needed).

🚧 Security Controls in Zones

  • Firewalls β†’ enforce segmentation between LAN, WAN, and DMZ.
  • IDS/IPS β†’ monitor/stop suspicious traffic in DMZ.
  • UTM (Unified Threat Management) β†’ bundle firewall, IPS, anti-malware.
  • ACLs β†’ define exactly which IPs/ports can cross zone boundaries.

βœ… Exam Tips

  • DMZ = screened subnet (most exam questions use β€œDMZ”).
  • Public servers go in the DMZ, not the internal LAN.
  • Trusted ↔ DMZ traffic is allowed (with restrictions).
  • Untrusted ↔ Trusted traffic is never direct. Must go through DMZ/firewall.
  • Default stance = deny all, then allow what’s required.

Possible Question Styles:

  1. β€œWhere should you place a public web server to prevent direct internet access to the LAN?”

    β†’ Screened subnet/DMZ

  2. β€œWhat zone is considered hostile by default?”

    β†’ Untrusted (Internet)

  3. β€œWhat rule prevents the internet from directly accessing the internal LAN?”

    β†’ Implicit deny between Untrusted and Trusted zones