Chapter 62 Β· Concepts

Secure Infrastructures β€” Concept Reference

Zone models, device placement logic, attack surface components, and connectivity security layers in structured reference form.

Security Zone Model β€” Full Reference

ZoneTrust LevelWhat It ContainsTypical Inbound PolicyTypical Outbound Policy
Untrusted (Internet)NoneThe public internet; any external network the org doesn't controlBlocked by default; specific services permitted to screened zone onlyN/A (originator)
Screened (DMZ)LowWeb servers, mail relay, public DNS, reverse proxies, honeypotsHTTP/HTTPS/SMTP from internet; admin access via jump server onlyRestricted: specific DB queries to trusted; no broad internal access
Trusted (Internal)HighEmployee workstations, internal servers, printers, internal servicesBlocked from internet; restricted from screened zonePermitted to internet with inspection; permitted to screened zone
Management ZoneVery HighJump servers, network management systems, SIEM, out-of-band managementAccess only from specific trusted hosts; MFA requiredAdministrative protocols (SSH/RDP) to any managed device
Database ZoneHighDatabase servers, data warehouses, backup systemsOnly from application server zone on specific ports/accountsNo outbound internet access; responses only
Guest ZoneUntrustedGuest Wi-Fi, BYOD devices, visitor laptopsInternet access only; no access to any internal zoneInternet access permitted; all internal zones blocked

Zone Traffic Flow β€” Policy Reference

Zone policies define what is permitted between zones. Every unspecified flow is denied by default.

Source ZoneDestination ZoneDefault PolicyPermitted Exceptions
UntrustedScreenedDenyHTTP (80), HTTPS (443), SMTP (25) to specific servers; explicit permit rule required for each
UntrustedTrustedDeny allNone β€” no direct path from internet to internal; all inbound traffic terminated in screened zone
ScreenedTrustedDenySpecific application queries only (e.g., web server β†’ DB on port 5432 using service account)
TrustedUntrustedPermit with inspectionOutbound HTTPS, DNS, email; blocked: direct outbound connections on non-standard ports
TrustedScreenedPermitAdmin access to DMZ servers via jump server; monitoring access
GuestAny internalDeny allNone β€” guest zone has internet access only; all internal zones isolated
ManagementAny zonePermit (admin protocols)SSH/RDP/SNMP to managed devices; restricted to jump server source addresses

Device Placement β€” Security Function Reference

DevicePlacementPrimary Security FunctionSecurity BenefitWhat It Doesn't Do
FirewallEvery zone boundaryEnforce zone-to-zone traffic policies; block unauthorized flowsLimits attack surface to explicitly permitted traffic; enforces segmentationCannot inspect encrypted payloads without TLS inspection; cannot detect insider threats
HoneypotInside screened zone or trusted zoneAttract attackers; generate alerts; gather attack intelligenceZero-false-positive alerting (any access = suspicious); reveals attacker TTPsDoes not block attacks; does not protect real systems
Jump ServerManagement zone; the single admin access pathEnforce MFA + logging on all admin sessions; restrict admin source addressesEliminates direct admin access paths; full session recording; single audit pointDoes not protect against admin credential theft if jump server itself is compromised
Load BalancerIn front of backend server pool (screened or trusted zone)Distribute traffic; terminate TLS; optionally enforce WAF rulesHides backend topology; centralizes certificate management; absorbs volumetric trafficDoes not prevent application-layer attacks unless WAF is integrated
Network Sensor (IDS)Zone boundaries; internal segments for east-west visibilityMonitor traffic; compare to signatures/baselines; alert on anomaliesDetects attacks that perimeter controls miss; provides visibility into lateral movementPassive β€” cannot block; generates alerts that require human or SIEM response

Attack Surface Components and Reduction Strategies

ComponentExamplesReduction StrategyResidual Risk
Application codeSQL injection in web app, buffer overflow in service, auth bypass in APICode audit, SAST/DAST scanning, penetration testing, patch managementZero-day vulnerabilities in code that has not yet been audited or publicly disclosed
Open ports / servicesTelnet on port 23, unused FTP server, legacy SNMP v1/v2 with default community stringDisable all unnecessary services; block unused ports at firewall; harden default configsServices required for business function remain as managed risk
Authentication interfacesWeb admin login, SSH, VPN portal, API keys, LDAP/AD authenticationMFA on all externally accessible interfaces; account lockout; rate limiting; privileged account separationCredential theft via social engineering, phishing; legitimate credential abuse (insider)
Human errorMisconfigured firewall rule, excessive permissions granted, hardcoded credentials, clicked phishing linkTraining; peer review; IaC (removes manual config steps); least privilege; segmentation limits blast radiusCannot be eliminated; managed by reducing blast radius of any single error

Secure Connectivity β€” Encryption Layer Reference

LayerTechnologyWhat It ProtectsUse CaseLimitation
PhysicalLocked conduit, disabled wall jacks, 802.1X port authUnauthorized physical network access; passive tappingConference rooms, public areas, inter-building cablingDoes not protect data once it reaches the network; must be combined with logical controls
Application (TLS/SSL)HTTPS, SMTPS, IMAPS, TLS database connectionsApplication session data in transit; end-to-end between app and userWeb traffic, email, API calls, encrypted database connectionsProtects the payload; the connection metadata (IPs, timing) is still visible
Network (IPsec)IPsec tunnel mode (site-to-site VPN)All traffic between two sites, regardless of applicationBranch office to HQ; data center to data center; cloud to on-premDoes not protect application-layer attacks on decrypted traffic at the endpoint
Remote access (VPN)SSL VPN, IPsec VPN, VPN concentratorRemote user traffic over untrusted networksWork-from-home, hotel/coffee shop access, contractor remote accessDoes not protect against attacks from a compromised VPN endpoint device itself

Defense in Depth β€” Layer Interaction

Each security layer should be designed to limit the blast radius of a breach at the layer above it. The question for each layer is: "If the layer above this is defeated, what does this layer prevent?"