Security Zone Model β Full Reference
| Zone | Trust Level | What It Contains | Typical Inbound Policy | Typical Outbound Policy |
|---|---|---|---|---|
| Untrusted (Internet) | None | The public internet; any external network the org doesn't control | Blocked by default; specific services permitted to screened zone only | N/A (originator) |
| Screened (DMZ) | Low | Web servers, mail relay, public DNS, reverse proxies, honeypots | HTTP/HTTPS/SMTP from internet; admin access via jump server only | Restricted: specific DB queries to trusted; no broad internal access |
| Trusted (Internal) | High | Employee workstations, internal servers, printers, internal services | Blocked from internet; restricted from screened zone | Permitted to internet with inspection; permitted to screened zone |
| Management Zone | Very High | Jump servers, network management systems, SIEM, out-of-band management | Access only from specific trusted hosts; MFA required | Administrative protocols (SSH/RDP) to any managed device |
| Database Zone | High | Database servers, data warehouses, backup systems | Only from application server zone on specific ports/accounts | No outbound internet access; responses only |
| Guest Zone | Untrusted | Guest Wi-Fi, BYOD devices, visitor laptops | Internet access only; no access to any internal zone | Internet access permitted; all internal zones blocked |
Zone Traffic Flow β Policy Reference
Zone policies define what is permitted between zones. Every unspecified flow is denied by default.
| Source Zone | Destination Zone | Default Policy | Permitted Exceptions |
|---|---|---|---|
| Untrusted | Screened | Deny | HTTP (80), HTTPS (443), SMTP (25) to specific servers; explicit permit rule required for each |
| Untrusted | Trusted | Deny all | None β no direct path from internet to internal; all inbound traffic terminated in screened zone |
| Screened | Trusted | Deny | Specific application queries only (e.g., web server β DB on port 5432 using service account) |
| Trusted | Untrusted | Permit with inspection | Outbound HTTPS, DNS, email; blocked: direct outbound connections on non-standard ports |
| Trusted | Screened | Permit | Admin access to DMZ servers via jump server; monitoring access |
| Guest | Any internal | Deny all | None β guest zone has internet access only; all internal zones isolated |
| Management | Any zone | Permit (admin protocols) | SSH/RDP/SNMP to managed devices; restricted to jump server source addresses |
Device Placement β Security Function Reference
| Device | Placement | Primary Security Function | Security Benefit | What It Doesn't Do |
|---|---|---|---|---|
| Firewall | Every zone boundary | Enforce zone-to-zone traffic policies; block unauthorized flows | Limits attack surface to explicitly permitted traffic; enforces segmentation | Cannot inspect encrypted payloads without TLS inspection; cannot detect insider threats |
| Honeypot | Inside screened zone or trusted zone | Attract attackers; generate alerts; gather attack intelligence | Zero-false-positive alerting (any access = suspicious); reveals attacker TTPs | Does not block attacks; does not protect real systems |
| Jump Server | Management zone; the single admin access path | Enforce MFA + logging on all admin sessions; restrict admin source addresses | Eliminates direct admin access paths; full session recording; single audit point | Does not protect against admin credential theft if jump server itself is compromised |
| Load Balancer | In front of backend server pool (screened or trusted zone) | Distribute traffic; terminate TLS; optionally enforce WAF rules | Hides backend topology; centralizes certificate management; absorbs volumetric traffic | Does not prevent application-layer attacks unless WAF is integrated |
| Network Sensor (IDS) | Zone boundaries; internal segments for east-west visibility | Monitor traffic; compare to signatures/baselines; alert on anomalies | Detects attacks that perimeter controls miss; provides visibility into lateral movement | Passive β cannot block; generates alerts that require human or SIEM response |
Attack Surface Components and Reduction Strategies
| Component | Examples | Reduction Strategy | Residual Risk |
|---|---|---|---|
| Application code | SQL injection in web app, buffer overflow in service, auth bypass in API | Code audit, SAST/DAST scanning, penetration testing, patch management | Zero-day vulnerabilities in code that has not yet been audited or publicly disclosed |
| Open ports / services | Telnet on port 23, unused FTP server, legacy SNMP v1/v2 with default community string | Disable all unnecessary services; block unused ports at firewall; harden default configs | Services required for business function remain as managed risk |
| Authentication interfaces | Web admin login, SSH, VPN portal, API keys, LDAP/AD authentication | MFA on all externally accessible interfaces; account lockout; rate limiting; privileged account separation | Credential theft via social engineering, phishing; legitimate credential abuse (insider) |
| Human error | Misconfigured firewall rule, excessive permissions granted, hardcoded credentials, clicked phishing link | Training; peer review; IaC (removes manual config steps); least privilege; segmentation limits blast radius | Cannot be eliminated; managed by reducing blast radius of any single error |
Secure Connectivity β Encryption Layer Reference
| Layer | Technology | What It Protects | Use Case | Limitation |
|---|---|---|---|---|
| Physical | Locked conduit, disabled wall jacks, 802.1X port auth | Unauthorized physical network access; passive tapping | Conference rooms, public areas, inter-building cabling | Does not protect data once it reaches the network; must be combined with logical controls |
| Application (TLS/SSL) | HTTPS, SMTPS, IMAPS, TLS database connections | Application session data in transit; end-to-end between app and user | Web traffic, email, API calls, encrypted database connections | Protects the payload; the connection metadata (IPs, timing) is still visible |
| Network (IPsec) | IPsec tunnel mode (site-to-site VPN) | All traffic between two sites, regardless of application | Branch office to HQ; data center to data center; cloud to on-prem | Does not protect application-layer attacks on decrypted traffic at the endpoint |
| Remote access (VPN) | SSL VPN, IPsec VPN, VPN concentrator | Remote user traffic over untrusted networks | Work-from-home, hotel/coffee shop access, contractor remote access | Does not protect against attacks from a compromised VPN endpoint device itself |
Defense in Depth β Layer Interaction
Each security layer should be designed to limit the blast radius of a breach at the layer above it. The question for each layer is: "If the layer above this is defeated, what does this layer prevent?"
- If the perimeter firewall is bypassed: Zone segmentation contains the attacker to one zone; internal firewalls block lateral movement to other zones
- If zone segmentation is breached: Access controls (MFA, least privilege, jump servers) limit what the attacker can access within the zone
- If access controls are bypassed with stolen credentials: Monitoring (SIEM, IDS, honeypots) detects anomalous behavior; session recording on the jump server records the activity
- If monitoring is evaded: Data encryption ensures that even if the attacker reaches the data, it cannot be read without the decryption key
- If data encryption is defeated: The architecture itself limited how much data was accessible from any single compromise β database zone isolation, least-privilege service accounts, and data classification prevent total data loss