Segmentation, VLANs, DMZ, and Microsegmentation
Key Takeaways
- Segmentation limits which systems can communicate and reduces blast radius after compromise.
- VLANs separate Layer 2 broadcast domains, but routing and ACLs are still needed to enforce security between VLANs.
- A DMZ hosts services that must face less trusted networks while limiting access to internal systems.
- Microsegmentation applies granular policy between workloads, often using software-defined controls.
- Exam questions often test allowed flows, default deny logic, and avoiding direct public access to sensitive systems.
Segmentation, VLANs, DMZ, and Microsegmentation
Segmentation divides a network into security zones. The reason is simple: if one device is compromised, the attacker should not automatically reach everything else.
Segmentation Terms
| Term | Meaning | Exam clue |
|---|---|---|
| VLAN | Logical Layer 2 segment | Separate user, server, voice, or guest networks |
| Subnet | Layer 3 IP network | Routing and ACLs decide inter-subnet access |
| DMZ | Semi-trusted zone for public-facing services | Public web server separated from internal database |
| East-west traffic | Traffic between internal systems | Lateral movement concern |
| North-south traffic | Traffic entering or leaving the network | Internet edge control concern |
| Microsegmentation | Fine-grained workload-to-workload policy | Limit app server to one database service |
Important: a VLAN alone is not a complete security control. If routing between VLANs is open, users in one VLAN may still reach systems in another. Use router ACLs, firewall rules, or software-defined policy to enforce boundaries.
Common Zone Model
| Zone | Typical systems | Allowed access |
|---|---|---|
| Internet | External users and attackers | Only published services |
| DMZ | Reverse proxy, public web, mail gateway | Limited paths to internal app services |
| Application zone | Internal app servers and APIs | Required database and service calls |
| Data zone | Databases and storage | Only approved app or admin paths |
| User zone | Employee workstations | Business apps, not direct database admin |
| Management zone | Jump hosts, monitoring, admin tools | Admin protocols to approved targets |
| Guest zone | Visitors and unmanaged devices | Internet only, no internal access |
ACL Mini Example
Scenario: Guest Wi-Fi, employee workstations, application servers, and a database are separated into VLANs.
| Rule | Source | Destination | Service | Action | Reason |
|---|---|---|---|---|---|
| 1 | Guest VLAN | Internet | HTTP/HTTPS/DNS | Allow | Guest internet use |
| 2 | Guest VLAN | Internal RFC1918 ranges | Any | Deny | Prevent internal access |
| 3 | User VLAN | App VLAN | HTTPS | Allow | Users access business app |
| 4 | User VLAN | Database VLAN | Any | Deny | No direct database access |
| 5 | App VLAN | Database VLAN | TCP 5432 | Allow | Required app data flow |
| 6 | Any | Any | Any | Deny/log | Default deny |
Security+ PBQs often ask for the missing deny rule. If a database should only receive traffic from the app tier, do not allow the whole user subnet.
DMZ Design Example
Public users need to reach a website. The website needs data from an internal application API. The database contains confidential customer data.
Safer placement:
- Reverse proxy or web front end in the DMZ.
- Application API in an internal application zone.
- Database in a data zone.
- Firewall rule: internet to DMZ HTTPS only.
- Firewall rule: DMZ web to app API only.
- Firewall rule: app API to database port only.
- Deny internet to app and database zones.
Trap: putting the database in the DMZ because the website needs it. The website needs controlled application access to data, not direct public reachability to the database.
Microsegmentation
Microsegmentation narrows access between workloads. Instead of allowing every server in a subnet to talk to every other server, policy can say:
- Payment API may connect to payment database on TCP 5432.
- Inventory API may connect to inventory database on TCP 3306.
- No API may initiate admin connections to another API.
- Monitoring collector may receive telemetry from all workloads.
This is useful in virtualized, containerized, and cloud environments where workloads move frequently and subnet-level controls are too broad.
PBQ-Style Walkthrough
Task: Fix lateral movement risk after a workstation compromise.
Facts:
- Workstations can reach server admin ports.
- Guest Wi-Fi can reach printer and file server VLANs.
- All servers share one flat subnet.
- Domain controllers and databases are in the same segment as test servers.
Best changes:
- Block workstation access to server admin ports except from management jump hosts.
- Restrict guest Wi-Fi to internet-only services.
- Separate critical servers into protected zones.
- Permit only required application flows.
- Log denied east-west traffic to detect scanning.
The exam pattern is usually "least access that still supports the business flow."
A guest wireless VLAN should allow internet browsing but no internal access. Which rule is most appropriate?
Which statements about VLANs and segmentation are correct? Choose two.
Select all that apply
A workload policy allows the payment API to connect only to the payment database on the required port. What concept does this best illustrate?