Security Zones — Portions of a network or system that have specific security concerns or requirements. They are used to isolate resources and apply different levels of protection based on risk and purpose.
| Term | Definition |
|---|---|
| Wireless | A network zone that allows wireless connectivity, often separated from wired networks due to increased security risks. |
| Guest | A restricted network zone allowing limited internet access for visitors while isolating them from internal systems. |
| Honeynet | A network segment intentionally designed to attract and analyze malicious activity for threat research. |
| Ad Hoc | A temporary peer-to-peer network created without central infrastructure, typically used for quick device communication. |
| Screened Subnet (DMZ) | A perimeter network between internal systems and the public internet, hosting external-facing services like web or email servers. |
| Intranet | A private internal network accessible only to an organization’s employees. |
| Extranet | A controlled network zone that allows limited access to external partners, vendors, or clients. |
Screened Subnet (DMZ) — Also known as a perimeter network or demilitarized zone, a screened subnet provides an additional layer of protection between an organization’s internal network and the internet.
| Term | Definition |
|---|---|
| Bastion / Sacrificial Host | A hardened server placed in the DMZ designed to withstand attacks while protecting the internal network. |
| Screening Router | A router that filters traffic between networks based on security rules, typically forming part of the perimeter defense. |
| Dual-Homed Gateway | A firewall or proxy server with two network interfaces — one connected to the internal network and one to the external network — providing controlled communication. |
| Screened-Host Gateway | A firewall configuration using a bastion host behind a single screening router to filter inbound and outbound traffic. |
| Two-Firewalled Screened Subnet | A DMZ setup that uses both internal and external firewalls for stronger segmentation and layered defense. |
Firewall — A network security device or software application designed to monitor, filter, and control incoming and outgoing traffic based on predetermined security rules.
| Term | Definition |
|---|---|
| Host-Based Firewall | Software-based firewall installed on an endpoint to protect it from local and network-based threats. |
| Network-Based Firewall | Hardware or virtual appliance that monitors and filters traffic at the network perimeter. |
| Web Application Firewall (WAF) | Protects web applications by filtering and monitoring HTTP traffic for threats like SQL injection or XSS. |
| Next-Generation Firewall (NGFW) | Integrates deep packet inspection, intrusion prevention, and application awareness into one device. |
| Unified Threat Management (UTM) | Combines multiple security functions (firewall, antivirus, IDS/IPS, etc.) into a single appliance. |
| Stateless Firewall | Evaluates packets independently without considering previous traffic patterns. |
| Stateful Firewall | Tracks active connections and determines whether packets are part of a valid session. |
| Layer 4 Firewall | Filters traffic based on transport layer information such as TCP/UDP ports. |
| Layer 7 Firewall | Filters traffic based on application-level data such as HTTP requests or DNS queries. |
Firewall Rules:
Lists of allow/deny statements used to enforce security policies, ensuring only authorized traffic passes through.
| Type | Description |
|---|---|
| Host-to-Host | Direct VPN connection between two devices. |
| Site-to-Site | Connects entire networks securely over the internet. |
| Remote-Access | Allows individual users to connect securely to a corporate network from a remote location. |
| Always-On | Automatically maintains a VPN connection at all times for continuous security. |
Tunnel Endpoints: Devices that encrypt and decrypt VPN traffic (e.g., routers, firewalls, or dedicated VPN servers).
Purpose: Secures communications over untrusted networks, such as public Wi-Fi.
Network Access Control (NAC) — Authenticates users and devices before granting access and monitors traffic to ensure compliance with security policies.
| Term | Definition |
|---|---|
| Virtual LAN (VLAN) | Logical segmentation of a switch into multiple networks to improve performance and security. |
| MAC Filtering / Port Security | Limits switch port access to approved MAC addresses, preventing rogue devices from connecting. |
| Port Authentication (802.1X) | Uses RADIUS or similar services to authenticate devices before allowing network access. |
Provides fault tolerance and prevents network loops by identifying redundant paths between switches.
Port Roles
Port States
| Security Measure | Description |
|---|---|
| Change Factory Defaults | Update default usernames, passwords, and SSIDs immediately. |
| Use Secure Protocols | Prefer SSH, HTTPS, and SNMPv3 instead of Telnet, HTTP, or SNMPv1/2. |
| Implement Physical Security | Prevent unauthorized access to networking hardware. |
| Secure Configuration Files | Back up configs securely and restrict access. |
| Update Firmware | Regularly patch to close known vulnerabilities. |
| Use Anti-Spoofing Rules | Block traffic with illegitimate or private IP source addresses on the WAN side. |
| Access Control Lists (ACLs) | Filter traffic by IP, port, or protocol to enforce security policy. |
| Layer | Description |
|---|---|
| Physical | Transmission media and hardware (cables, hubs, etc.). |
| Data Link | MAC addressing and VLANs. |
| Network | Routing and logical addressing (IP). |
| Transport | Connection management (TCP/UDP). |
| Session | Establishes and maintains communication sessions. |
| Presentation | Data formatting, encryption, and compression. |
| Application | User-facing protocols (HTTP, SMTP, SMB, FTP, DNS). |
A layered security strategy that uses multiple controls to protect systems.