0 / 10 flipped
Security Zone
Tap to reveal
A logical segment of the network assigned a specific trust level, grouping devices by function and access type rather than IP address. Security policies are written as zone-to-zone relationships ("allow HTTPS from untrusted to screened") rather than as lists of IP addresses β which scales far better as networks grow. The trust level of a zone determines how strictly inbound traffic is filtered. Common zones: untrusted (internet), screened (DMZ), trusted (internal), management, database, guest. Any traffic not explicitly permitted between zones is denied by default.
Screened Zone (DMZ)
Tap to reveal
A demilitarized zone between the untrusted internet and the trusted internal network. Hosts services that must accept internet connections (web servers, mail relay, public DNS) but should not have unrestricted access to internal systems. Two-firewall DMZ model: first firewall faces internet; DMZ sits between the two firewalls; second firewall protects the internal network. A breach of a DMZ server is contained β the attacker cannot pivot directly to internal systems because a second firewall blocks that path. The screened zone limits the blast radius of a public-facing server compromise.
Attack Surface
Tap to reveal
The complete set of points through which an attacker could enter a system or extract data. Four primary components: (1) Application code β every vulnerability in deployed software; (2) Open ports and services β every listening service is an entry point; (3) Authentication interfaces β every login page, API, VPN portal; (4) Human error β misconfigurations, excessive permissions, social engineering. Attack surface management: disable unnecessary services, close unused ports, conduct code audits, enforce strict access control, monitor traffic in real time. Goal: ensure every exposed entry point serves a documented business purpose β no free gifts to attackers.
Device Placement
Tap to reveal
The architectural decision of where to position security devices in the network. Placement determines what traffic a device can see and enforce. Firewall placement: at every zone boundary β the boundary defines the enforcement point. Sensor placement: at zone boundaries and on internal segments for east-west visibility. Honeypot placement: inside zones where an attacker might pivot to β generates high-fidelity alerts with zero false positives. Load balancer placement: in front of backend servers to hide topology and terminate external connections. Device placement is a design decision made during architecture, not an afterthought.
Honeypot
Tap to reveal
A decoy system that mimics a real production resource (file server, database, domain controller) but contains no real data and serves no real function. Any access to a honeypot is inherently suspicious β there is no legitimate reason for a real user to access a system that exists only to attract attackers. Honeypots generate zero false-positive alerts: every alert is real. Their intelligence value: revealing that an attacker is active, what credentials or pivot techniques they used, and what they are looking for. A network of honeypots is a honeynet. Placement inside the trusted zone detects lateral movement from compromised internal systems.
Jump Server (Bastion Host)
Tap to reveal
The single controlled entry point for all administrative access to internal systems. All SSH, RDP, and other admin sessions route through the jump server β direct admin connections from workstations to servers are blocked at the firewall. The jump server enforces MFA, logs all sessions with full command recording, and is heavily monitored. Security benefit: reduces the administrative attack surface from every server's admin port to a single hardened system. If an attacker compromises an administrator's workstation, they still cannot access servers because all admin paths require the jump server, and the jump server requires MFA. Also called a bastion host or privileged access workstation (PAW) gateway.
IPsec
Tap to reveal
A network-layer protocol suite that encrypts and authenticates IP traffic between two endpoints. Operates at Layer 3, transparent to applications β the application sends unencrypted data; IPsec encrypts it before transmission and decrypts it on receipt. Two modes: Transport mode encrypts only the payload (used between hosts); Tunnel mode encrypts the entire IP packet and wraps it in a new header (used for site-to-site VPNs). Use cases: branch-to-HQ encryption, data center interconnects, hybrid cloud connectivity. All traffic through the tunnel is protected regardless of whether the application itself uses encryption.
VPN Concentrator
Tap to reveal
A dedicated device that terminates remote-access VPN connections and connects remote users securely to the internal network. When a remote user connects via VPN client, the concentrator authenticates them, establishes an encrypted tunnel, and routes their traffic as if they were physically on the internal network. Enforces access policies (which resources each user can reach via VPN), logs all sessions, and provides a centralized monitoring point for all remote access. Protects users connecting from untrusted networks (home, hotels, coffee shops) β the tunnel encrypts all traffic between the endpoint and the concentrator, making the underlying network infrastructure irrelevant to data confidentiality.
Application-Level vs. Network-Level Encryption
Tap to reveal
Application-level (TLS/SSL): Encrypts the application session between the app and the user. Protects the payload of a specific application's traffic. Works end-to-end between client and server application. Example: HTTPS protects the web session regardless of what the network does. Network-level (IPsec/VPN): Encrypts all IP traffic between two network endpoints β protects everything in the tunnel, regardless of whether applications themselves are encrypted. Transparent to applications. Example: IPsec tunnel between branches encrypts all traffic including unencrypted protocols like SMB. Both are necessary: TLS protects the session; IPsec protects the transport link. Use both for defense in depth.
Defense in Depth
Tap to reveal
A layered security architecture where multiple independent security controls are stacked so that defeating one layer still requires defeating all subsequent layers. The five layers in a secure infrastructure: (1) Perimeter: firewalls, WAF, IDS/IPS at the external boundary; (2) Zone segmentation: internal firewalls, VLANs, ACLs that contain lateral movement; (3) Access control: MFA, least privilege, jump servers that restrict what a compromised account can reach; (4) Monitoring: SIEM, IDS sensors, honeypots that detect attacks in progress; (5) Data protection: TLS, IPsec, disk encryption that protect data even after all other layers fail. Each layer compensates for the weaknesses of the layers above it.