Segmentation, VLANs, DMZ, and Microsegmentation
Key Takeaways
- Segmentation limits which systems can communicate and shrinks the blast radius after a single host is compromised.
- A Virtual Local Area Network (VLAN) separates Layer 2 broadcast domains, but inter-VLAN traffic still passes through a router, so an Access Control List (ACL) or firewall must enforce policy.
- A demilitarized zone (DMZ), now called a screened subnet, hosts public-facing services and must never directly contain confidential databases.
- Microsegmentation applies per-workload, identity-aware policy and is the primary defense against east-west (lateral) movement.
- SY0-701 performance-based questions (PBQs) test the missing default-deny rule and rejecting direct public reachability to sensitive tiers.
Why Segmentation Matters on SY0-701
Security+ SY0-701 (90 questions, 90 minutes, passing score 750 on a 100-900 scale) tests segmentation as the structural control that limits lateral movement. The principle is blast-radius reduction: if a phished workstation is compromised, the attacker should not automatically reach domain controllers, databases, or backups. Segmentation directly supports defense in depth and least privilege at the network layer.
Core Segmentation Terms
| Term | Definition | Exam clue |
|---|---|---|
| VLAN | Logical Layer 2 broadcast-domain split, tagged with 802.1Q (12-bit tag, IDs 1-4094) | Separate user, server, voice, guest, and IoT traffic on one switch |
| Subnet | Layer 3 IP network; routing plus ACLs decide reachability | Inter-subnet access is not automatic |
| Screened subnet (DMZ) | Semi-trusted zone for internet-facing services | Public web/mail in front, internal data behind |
| East-west traffic | Server-to-server traffic inside the data center | Lateral-movement and worm-spread concern |
| North-south traffic | Traffic crossing the perimeter to/from the internet | Edge firewall and proxy concern |
| Microsegmentation | Per-workload identity-aware policy, usually software-defined | One app server reaches exactly one database port |
A VLAN by itself is not a security boundary. Two VLANs on the same router with an open routing table can talk freely. Enforcement requires a router ACL, an internal firewall, or a software-defined policy engine. Watch for VLAN hopping attacks: double tagging (forging two 802.1Q tags) and switch spoofing (negotiating a trunk via Dynamic Trunking Protocol). Mitigations: disable DTP, set a dedicated unused native VLAN, and prune unused VLANs from trunks.
Standard Zone Model
| Zone | Typical systems | Allowed inbound |
|---|---|---|
| Internet | External users and attackers | Only published services |
| Screened subnet (DMZ) | Reverse proxy, public web, mail gateway | Internet HTTPS only |
| Application zone | Internal app servers and APIs | Calls from DMZ web tier |
| Data zone | Databases, storage, backups | Approved app or admin paths only |
| User zone | Employee workstations | Business apps, never raw DB admin |
| Management zone | Jump hosts, monitoring, admin tools | Admin protocols to approved targets |
| Guest zone | Visitors, unmanaged devices | Internet only, zero internal access |
Default-Deny ACL Example
Four VLANs: Guest Wi-Fi, user workstations, application servers, and a PostgreSQL database.
| # | Source | Destination | Service | Action | Reason |
|---|---|---|---|---|---|
| 1 | Guest VLAN | Internet | HTTP/HTTPS/DNS | Allow | Guest browsing |
| 2 | Guest VLAN | RFC 1918 ranges | Any | Deny/log | Block internal reach |
| 3 | User VLAN | App VLAN | TCP 443 | Allow | Business app over HTTPS |
| 4 | User VLAN | DB VLAN | Any | Deny/log | No direct DB access |
| 5 | App VLAN | DB VLAN | TCP 5432 | Allow | Required PostgreSQL flow |
| 6 | Any | Any | Any | Deny/log | Implicit default deny |
The rule most PBQs hide is rule 4 or rule 6. If the database should receive traffic only from the app tier, never allow the whole user subnet, and always close with an explicit logged default-deny so denied scans are visible.
DMZ Placement Trap
Public users reach a website; the site queries an internal API; the API holds confidential customer data. Safer placement: reverse proxy in the DMZ, application API in the internal app zone, database in the data zone. Firewall flow: internet to DMZ HTTPS only, DMZ web to app API only, app API to DB port only, deny internet to app and data zones. Trap: putting the database in the DMZ "because the website needs it." The site needs controlled application access to data, not public reachability to the database engine.
Microsegmentation
Microsegmentation narrows policy below the subnet, ideal for virtualized, containerized, and cloud workloads that move constantly. Example policy set:
- Payment API may reach only the payment database on TCP 5432.
- Inventory API may reach only the inventory database on TCP 3306.
- No API may initiate an admin connection to another API.
- The monitoring collector may receive telemetry from all workloads but initiate nothing.
PBQ Walkthrough: Stop Lateral Movement
Facts: workstations can hit server admin ports; guest Wi-Fi reaches printer and file-server VLANs; all servers sit on one flat subnet alongside test boxes and domain controllers. Best fixes, in order: (1) block workstation access to admin ports except from management jump hosts; (2) restrict guest Wi-Fi to internet-only; (3) split critical servers into protected zones away from test servers; (4) permit only required application flows; (5) log denied east-west traffic to detect scanning. The recurring SY0-701 answer is "least access that still supports the documented business flow."
Physical and Logical Segmentation
Segmentation appears in several forms the exam may name:
- Physical segmentation (air gap): completely separate hardware with no connection, used for critical systems such as industrial control or classified networks. It is the strongest isolation but the least convenient, and attackers may still bridge it with removable media.
- Logical segmentation: VLANs, subnets, and software-defined policy on shared hardware. Cheaper and flexible, but a misconfiguration can collapse the boundary.
- Screened subnet (DMZ): a buffer zone between the internet and the internal LAN, classically built with a single three-legged firewall or two back-to-back firewalls.
- Extranet: a controlled segment shared with partners or suppliers, isolated from the internal core.
- Intranet: internal-only resources never reachable from the internet.
SDN and Zero Trust Influence
Software-defined networking (SDN) separates the control plane (routing decisions) from the data plane (packet forwarding), letting a controller push segmentation policy centrally and instantly. This is what makes microsegmentation practical at scale. It aligns with zero trust, where no traffic is implicitly trusted by location: every flow is authenticated, authorized, and logged through a policy decision point and policy enforcement point.
On SY0-701, if a scenario describes workloads moving across hosts or clouds while policy must follow the workload, the answer trends toward microsegmentation and SDN rather than static subnet ACLs. Remember the goal is always least access that still supports the business flow, applied as close to the workload as the architecture allows.
A guest wireless VLAN should permit internet browsing but no internal access. Which rule set is most appropriate?
Which statements about VLANs and segmentation are correct? Choose two.
Select all that apply
A software-defined policy allows the payment API to reach only the payment database on TCP 5432 and forbids API-to-API admin connections. What concept does this best illustrate?