Security Zone
A logical segment of the network assigned a specific trust level. Security zones group devices by their function and access type rather than by IP address range β making them more flexible than subnet-based segmentation. A zone defines the trust level of everything inside it: devices in a trusted zone are assumed to be controlled and authorized; devices in an untrusted zone are assumed to be potentially hostile. Security policies are written as zone-to-zone rules ("allow HTTP from untrusted to screened") rather than as IP-address rules, which simplifies management as the network scales.
Trusted Zone
The internal network zone containing devices and users that the organization controls and considers authorized. Systems in the trusted zone β employee workstations, internal servers, printers, internal services β are not directly accessible from the internet. Outbound traffic from the trusted zone to the internet is generally permitted with inspection; inbound traffic from untrusted zones to the trusted zone is blocked by default. The trusted zone is not inherently safe β insider threats, lateral movement from a compromised device, and misconfigured ACLs all represent risks within the trusted zone β but it carries a higher default trust level than any external zone.
Untrusted Zone
The external zone containing networks the organization does not control β primarily the internet. All traffic originating from the untrusted zone is assumed to be potentially hostile until explicitly permitted. The firewall sits at the boundary between untrusted and screened/trusted zones, blocking all inbound traffic from untrusted by default and permitting only specific, explicitly authorized services. The untrusted zone is not restricted to the public internet β any network the organization does not control (a partner's network, a guest Wi-Fi segment, a contractor's device) should be treated as untrusted until proven otherwise.
Screened Zone (DMZ)
A demilitarized zone β a network segment that sits between the untrusted internet and the trusted internal network. The screened zone hosts services that must be accessible from the internet but should not have unrestricted access to internal systems: web servers, mail relay servers, public DNS servers, reverse proxies. Traffic from the internet is permitted to reach the screened zone on specific ports; traffic from the screened zone to the trusted internal network is tightly restricted. A compromised server in the screened zone is isolated from the internal network β the attacker cannot pivot directly from the DMZ host to internal systems without crossing another firewall boundary.
Attack Surface
The complete set of points β code, open ports, authentication interfaces, and human factors β through which an attacker could potentially enter a system or extract data. The attack surface is not a static measurement: it grows when new services are deployed, new ports are opened, new code is added, or new users are granted access. It shrinks when unnecessary services are disabled, ports are closed, code is patched, and access is revoked. The goal of attack surface management is to minimize the size of the surface so that every exposed entry point serves a documented business purpose and represents an acceptable, managed risk.
Device Placement
The architectural discipline of positioning security and network devices to maximize traffic visibility and control effectiveness. Where a device is placed determines what traffic it sees, what threats it can detect, and what it can enforce. A firewall placed at a zone boundary enforces policies for all traffic crossing that boundary. A sensor placed on an internal segment monitors east-west lateral movement. A load balancer in front of web servers hides backend topology and terminates external connections. Device placement is a design decision made during architecture β not an implementation detail to be sorted out during deployment.
Honeypot
A decoy system designed to attract attackers, generate intelligence about attack methods, and alert defenders when accessed. A honeypot mimics a real production system (a web server, a database, a file share) but contains no real data and serves no real function. Because legitimate users have no reason to access a honeypot, any connection to it is inherently suspicious. Honeypots generate high-fidelity alerts: no false positives. They may be placed in the DMZ (to appear as a target server) or inside the trusted network (to detect lateral movement). A network of multiple honeypots is called a honeynet.
Jump Server (Bastion Host)
A hardened intermediary server that acts as the single, controlled entry point for all administrative access to internal systems. Rather than allowing administrators to SSH or RDP directly from workstations to servers, all administrative sessions are routed through the jump server. The jump server enforces multi-factor authentication, logs all sessions with full command recording, and is the only host from which administrative connections to internal systems are permitted. By concentrating administrative access through a single monitored system, the jump server dramatically reduces the administrative attack surface and creates a complete audit trail of all privileged actions.
Load Balancer
A network device that distributes incoming traffic across multiple backend servers. Beyond performance β preventing any single server from being overwhelmed β load balancers provide security benefits: they sit in front of backend servers, hiding the number and addresses of those servers from external view; they can terminate TLS connections, centralizing certificate management; and many load balancers integrate WAF functionality that inspects application-layer traffic for attacks before forwarding to backend systems. A load balancer is a natural chokepoint that enforces consistent security policy for all traffic reaching backend servers.
Network Sensor
A passive monitoring device placed at strategic points in the network to capture and analyze traffic. Sensors feed data to IDS (intrusion detection system) engines that compare traffic patterns against known attack signatures or behavioral baselines, and to SIEM systems that correlate events across the environment. Unlike firewalls, sensors typically do not block traffic β they observe and report. Sensor placement determines visibility: a sensor on the network segment between the DMZ firewall and internal servers monitors east-west traffic from potentially compromised DMZ hosts; a sensor at the internet boundary monitors all inbound and outbound traffic.
IPsec (Internet Protocol Security)
A network-layer protocol suite that encrypts and authenticates IP traffic between two endpoints β typically two network sites (site-to-site VPN) or a remote user and a network gateway. IPsec operates at Layer 3 (IP layer), below the application layer, making it transparent to applications: the application sends plain traffic; IPsec encrypts it before transmission and decrypts it on receipt. IPsec supports two modes: Transport mode (encrypts only the payload of each IP packet, used for host-to-host communication) and Tunnel mode (encrypts the entire IP packet and wraps it in a new IP header, used for site-to-site VPNs). IPsec provides confidentiality, integrity, and authentication for all traffic in the tunnel.
VPN Concentrator
A dedicated device that terminates VPN connections from remote users and connects them securely to the internal network. When a remote user connects through a VPN client, the concentrator authenticates the user, establishes an encrypted tunnel, and routes the user's traffic as if they were physically on the internal network. The concentrator enforces access policies (which internal resources a remote user can reach), logs all sessions, and provides a central point for monitoring remote access activity. VPN concentrators protect remote users connecting from untrusted networks (home Wi-Fi, hotel networks, coffee shops) from traffic interception.